0006128: AuthNZ attempt via xoauth2 results in violating not-null constraint - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0006128	SOGo	Backend General	public	2025-06-10 10:15	2025-06-23 07:21

Reporter	markus.grandpre	Assigned To	qhivert
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	[Server] Linux	OS	Debian	OS Version	8 (Jessie)
Product Version	5.12.1
Fixed in Version	5.12.2

Summary	0006128: AuthNZ attempt via xoauth2 results in violating not-null constraint
Description	When trying to have SOGo authenticate and authorize a user using xoauth2, I find the following error in the SOGo server log: `ERROR: null value in column "c_access_token_expires_in" of relation` "sogo_openid" violates not-null constraint However, when I look at the token I received from the identity provider, I do see the "expires_in" field with the value 600: `sogod[243522:243522] fetch token response: {"access_token" = "...";` "expires_in" = 600; "id_token" = "..."; scope = "openid profile email"; "token_type" = Bearer; } You’ll find the full stack trace of the error below. Why is SOGo unable to read the "expires_in" value and insert it into the "sogo_openid" table in column "c_access_token_expires_in"? Best regards Markus Grandpré
Steps To Reproduce	Stop sogo systemctl stop sogo /usr/sbin/sogo-tool expire-sessions 0 Set AuthNZ mechanism to oauth2 in sogo.conf: { SOGoAuthenticationType = openid; SOGoOpenIDDebugEnabled = "YES"; OCSOpenIdURL = "postgresql://<db_server>:5432/sogo/sogo_openid"; SOGoOpenIdConfigUrl = "https://<idp_server>/idp/profile/oidc/configuration"; SOGoOpenIdClient = "secret"; SOGoOpenIdClientSecret = "secret"; SOGoOpenIdScope = "openid profile email"; SOGoOpenIdEnableRefreshToken = YES; SOGoOpenIdTokenCheckInterval = 30; SOGoOpenIdLogoutEnabled = YES; SOGoSMTPAuthenticationType = xoauth2; NGImap4AuthMechanism = xoauth2; SOGoXSRFValidationEnabled = NO; ... }
Additional Information	2025-06-10 10:16:14.988 sogod[243522:243522] fetch token response: {"access_token" = "AAdzZWNyZXQxJEqfOc8hn6mtswfJVwPCPZ7aNkqWEZqzqZkGRMY_PpQoRZPsS2Pf3rdRl0wb5VzUPpuJMuT_VNoJoxoSDVFELwA2sqeulK749qlnapiLMvOg_k2j_pBwBa8YdfW8CwtS5wBRPrMYSa8m07mjeImRaB-AUHbLaUx38CvW1Z1qmcQYD354sNscp0RoSrsaldnYiBJRnt-Nyvz2Jq5uWhU8f70g1uKS8aWdLZ5gXAFrTR_D3RQ0xnrVKTKSFwXYeNhfemVLpWC9BcSHrbKGvZ39y24Zj8mWsT4JAmDJBACl4rzlZPmV7buQHlmAvEIhrWBazvDHgO6cETpwnD6Y6tVkQGkypzOpDWTQxjjCxIP38sHc69dIEwH4KLq-QETyvG0PF9dB69P5d-EbQLC8hz9oZVOXHOd4tjJfhSz5-e-pyuD7irz3aK1kXFdR6kG27fKgkt4732rxBHk_SKww"; "expires_in" = 600; "id_token" = "eyJraWQiOiJkZWZhdWx0UlNBU2lnbiIsImFsZyI6IlJTNTEyIn0.eyJhdF9oYXNoIjoiWEtteWNZaHdkVG1JUm9MbzFnTnM2cDlidDRXS3Y2NHpaS1dCaDJteTctSSIsInN1YiI6ImZiNGVkZDdmN2IyNDc5ODY3NDNiYzQ3NDM4NTUzZDUwIiwiYXVkIjoiX2ExM2ExZmMyMjg5N2Q0MzgxOWZhMGUxY2VmZjExMWNjIiwiYXV0aF90aW1lIjoxNzQ5NTQzMzcxLCJpc3MiOiJodHRwczovL2lkcC10ZXN0LnVuaS1rb25zdGFuei5kZSIsImV4cCI6MTc0OTU0Njk3NCwiaWF0IjoxNzQ5NTQzMzc0LCJzaWQiOiJfMGZiMmNmMjAyNzZhOGJiYjgwYjlmYzcxZGY1NmRhYjcifQ.WbDkIhkkNe2nBs2RWEzP-eGGMrBZ6V_kY_OiG5jBvmtZgfXboCOyT-t9rKxtsFPkNVLnwnHJF4u58cw5XZcCVj4vzELC6YpVIxpM9nOZ0VCR8mleQILiZez8ETNp4XT8m-quoPf9dw-2t_jXcLf4qSNQiE6qMhyDEsfdyJtNTQl8skkYGKgcPo_WWYjfVy2cShlseIrybmb9Zc5hjgMus_h8TWISYtDdGBwDvLCRLWW63Mf0jw8uCOZzLUuqRVzrpiHdaOBvOCQ5gNXm3X2-ymg0X_EmQbTR8ITg1-4tCPpEGDxofft9E4j7M5TceVqbrmB3AhtehdFoxWMkOLQairUC8OFsttYcVI9akRRJ1TF8sgWekst33dYIpJvjPGiPfK-SL2S94gmnvzKGNt4EDugef37wzwzRMtb2GgUx0Z-0z2SSol0jXg14s27KNdY5VR6FdhynRK94BZzZX_5GgUOqq7Fh90_P0SjE1msqpdQcaNh91vU2t5PhBBWVYb_X"; scope = "openid profile email"; "token_type" = Bearer; } 2025-06-10 10:16:14.988 sogod[243522:243522] OpenId perform request: GET https://idp-test.uni-konstanz.de/idp/profile/oidc/userinfo 2025-06-10 10:16:14.988 sogod[243522:243522] OpenId perform request, headers {authorization = "Bearer AAdzZWNyZXQxJEqfOc8hn6mtswfJVwPCPZ7aNkqWEZqzqZkGRMY_PpQoRZPsS2Pf3rdRl0wb5VzUPpuJMuT_VNoJoxoSDVFELwA2sqeulK749qlnapiLMvOg_k2j_pBwBa8YdfW8CwtS5wBRPrMYSa8m07mjeImRaB-AUHbLaUx38CvW1Z1qmcQYD354sNscp0RoSrsaldnYiBJRnt-Nyvz2Jq5uWhU8f70g1uKS8aWdLZ5gXAFrTR_D3RQ0xnrVKTKSFwXYeNhfemVLpWC9BcSHrbKGvZ39y24Zj8mWsT4JAmDJBACl4rzlZPmV7buQHlmAvEIhrWBazvDHgO6cETpwnD6Y6tVkQGkypzOpDWTQxjjCxIP38sHc69dIEwH4KLq-QETyvG0PF9dB69P5d-EbQLC8hz9oZVOXHOd4tjJfhSz5-e-pyuD7irz3aK1kXFdR6kG27fKgkt4732rxBHk_SKww"; "content-type" = "application/x-www-form-urlencoded"; } 2025-06-10 10:16:15.490 sogod[243522:243522] OpenId fetch user info, profile is {eduPersonEntitlement = "urn:mace:dir:entitlement:common-lib-terms"; eduPersonPrincipalName = "<user>@uni-konstanz.de"; eduPersonScopedAffiliation = "member@uni-konstanz.de"; email = "<user>@uni-konstanz.de"; "family_name" = <Secondname>; "given_name" = <Fisrtname>; name = "<Firstname> <Secondname>"; "preferred_username" = <ID>; sub = fb4edd7f7b247986743bc47438553d50; } Jun 10 10:16:15 sogod [243522]: [ERROR] <0x0x56368057a7f0[GCSOpenIdFolder]> -[GCSOpenIdFolder writeOpenIdSession:withOldSession:withRefreshToken:withExpire:withRefreshExpire:]: cannot write record: <PostgreSQL72Exception: 0x5636807ad820> NAME:PostgreSQL72FatalError REASON:fatal pgsql error (channel=<0x0x5636806902b0[PostgreSQL72Channel]: connection=<0x0x563680766ff0[PGConnection]: connection=0x0x5636807671a0>>): ERROR: null value in column "c_access_token_expires_in" of relation "sogo_openid" violates not-null constraint DETAIL: Failing row contains (AAdzZWNyZXQxJEqfOc8hn6mtswfJVwPCPZ7aNkqWEZqzqZkGRMY_PpQoRZPsS2Pf..., , 1749543375, null, null, null).
Tags	oidc, postgresql, xoauth2

qhivert 2025-06-10 10:22 administrator ~0018244	Hello, What openid server do you use? Do you have a test environment where you can debug and add breakpoint ? (https://www.sogo.nu/support/faq/how-do-i-debug-sogo.html)

markus.grandpre 2025-06-10 10:28 reporter ~0018245	openid server is s Shibboleth IDP v5.1.4 with Plugin: net.shibboleth.oidc.common Current Version: 3.2.0 Plugin: net.shibboleth.idp.plugin.oidc.op Current Version: 4.2.1 Plugin: net.shibboleth.idp.plugin.oidc.config Current Version: 2.2.0

markus.grandpre 2025-06-10 11:00 reporter ~0018246	Now I have gdb installed on our test system. Please guide me to set breakpoints at the appropriate locations.

qhivert 2025-06-10 11:12 administrator ~0018247	Do you use the release 5.12.1 or the nightly after 5.12.1 ?

markus.grandpre 2025-06-10 11:55 reporter ~0018248	It's the latest nightly: sogo v5.12.1.20250610-1

qhivert 2025-06-10 12:41 administrator ~0018249	Ok, put a breakpoint here -> https://github.com/Alinto/sogo/blob/9954c3607bfda55424f5ac532a1075407235f345/SoObjects/SOGo/SOGoOpenIdSession.m#L5637 `b SoObjects/SOGo/SOGoOpenIdSession.m:563` It is after sogo fetch the token. When here, check the value of the var expiresIn `p expiresIn po expiresIn` You can also check the dictionary from the request response `po tokenRet` Then put a breakpoint here -> https://github.com/Alinto/sogo/blob/9954c3607bfda55424f5ac532a1075407235f345/SOPE/GDLContentStore/GCSOpenIdFolder.m#L310 `b SOPE/GDLContentStore/GCSOpenIdFolder.m:310` It is just before inserting in the database, check the value of expiration and the dictionary of columns/value `p nowExpire po newRecord`

markus.grandpre 2025-06-10 13:56 reporter ~0018250	Starting program: /usr/sbin/sogod -WOUseWatchDog NO -WONoDetach YES -WOPort 127.0.0.1:20000 -WOWorkersCount 1 -WOLogFile - -WOPidFile /tmp/sogo.pid [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". warning: the debug information found in "/usr/lib/debug//usr/lib/libSBJson.so.2.3.1" does not match "/lib/libSBJson.so.2" (CRC mismatch). Jun 10 15:52:05 sogod [10797]: version 5.12.1 (build @sogo-build.alinto.int 202506100544) -- starting Jun 10 15:52:05 sogod [10797]: vmem size check enabled: shutting down app when vmem > 512 MB. Currently at 87 MB Jun 10 15:52:05 sogod [10797]: <0x0x5555558bcdb0[SOGoProductLoader]> SOGo products loaded from '/usr/lib/GNUstep/SOGo': Jun 10 15:52:05 sogod [10797]: <0x0x5555558bcdb0[SOGoProductLoader]> PreferencesUI.SOGo, CommonUI.SOGo, Mailer.SOGo, MainUI.SOGo, Appointments.SOGo, MailPartViewers.SOGo, AdministrationUI.SOGo, ContactsUI.SOGo, Contacts.SOGo, SchedulerUI.SOGo, MailerUI.SOGo Jun 10 15:52:06 sogod [10797]: All products loaded - current memory usage at 93 MB Jun 10 15:52:06 sogod [10797]: \|SOGo\| WOHttpAdaptor listening on address 127.0.0.1:20000 ^C Program received signal SIGINT, Interrupt. 0x00007ffff6b5c9e3 in __GI___poll (fds=0x555555c0b3e0, nfds=2, timeout=timeout@entry=29906) at ../sysdeps/unix/sysv/linux/poll.c:29 29 ../sysdeps/unix/sysv/linux/poll.c: Datei oder Verzeichnis nicht gefunden. (gdb) b SoObjects/SOGo/SOGoOpenIdSession.m:563 Breakpoint 1 at 0x7ffff7f241fe: file SOGoOpenIdSession.m, line 563. (gdb) p expiresIn No symbol "expiresIn" in current context. (gdb) po expiresIn No symbol "expiresIn" in current context. (gdb) po tokenRet No symbol "tokenRet" in current context. (gdb) b SOPE/GDLContentStore/GCSOpenIdFolder.m:310 Breakpoint 2 at 0x7ffff7e1046b: file GCSOpenIdFolder.m, line 310. (gdb) c Continuing. ^C Program received signal SIGINT, Interrupt. 0x00007ffff6b5c9e3 in __GI___poll (fds=0x555555c0b3e0, nfds=2, timeout=timeout@entry=25393) at ../sysdeps/unix/sysv/linux/poll.c:29 29 in ../sysdeps/unix/sysv/linux/poll.c (gdb) p nowExpire No symbol "nowExpire" in current context. (gdb) po nowExpire No symbol "nowExpire" in current context.

qhivert 2025-06-10 14:13 administrator ~0018251	Ah sorry I haven't explained it properly. First launch gdb with sogo with the correct IP and port (the value you put for WOPort in your sogo.conf or init.d/sogo.service) `/usr/sbin/sogod -WOUseWatchDog NO -WONoDetach YES -WOPort 127.0.0.1:20000 -WOWorkersCount 1 -WOLogFile - -WOPidFile /tmp/sogo.pid` If sogo directly runs, you may stop it first with ctrl-c Then set your two breakpoints: `b SoObjects/SOGo/SOGoOpenIdSession.m:563 b SOPE/GDLContentStore/GCSOpenIdFolder.m:310` If gdb ask for missing library, say yes/y. Then run sogo, again say yes if gdb ask something `r` Then go to your browser and go to SOGo and do all the process to connect yourself. When you successfully login to your openid server, the breakpoints should stop the program. Then here you can check the variables with p and po.

markus.grandpre 2025-06-10 15:05 reporter ~0018252	Breakpoint 1: ... Breakpoint 1, -[SOGoOpenIdSession fetchToken:redirect:] (self=0x555555dcddc0, _cmd=0x7ffff2974620 <_OBJC_SELECTOR_TABLE+1632>, code=0x555555d2b220, oldLocation=0x555555dc0620) at SOGoOpenIdSession.m:563 563 SOGoOpenIdSession.m: Datei oder Verzeichnis nicht gefunden. (gdb) p expiresIn $1 = (NSNumber *) 0x5555559e0c30 (gdb) po expiresIn 600 (gdb) po tokenRet {"access_token" = "eyJraWQiOiJkZWZhdWx0UlNBU2lnbiIsInR5cCI6ImF0K2p3dCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJmYjRlZGQ3ZjdiMjQ3OTg2NzQzYmM0NzQzODU1M2Q1MCIsImlzcyI6Imh0dHBzOi8vaWRwLXRlc3QudW5pLWtvbnN0YW56LmRlIiwiZm9yX29wIjoiQUFkelpXTnlaWFF4azN1czlqVzByQUlnN1lsYlpacmZOSFprU3drWDd3WnFZcVFkUkk2RjlVczFmMEEwbi1lMlpGQXZYRFJQZlJIenBxYWlCTTVMUWdpUG9YejBMZ2k2TVZCcWZBM2hxOG1LNjdLdHNTTmpUMlN6b1BaT2FWUlNXazF5UnlyWWxDNDJRMXBxTGY3S1RHdXciLCJjbGllbnRfaWQiOiJfYTEzYTFmYzIyODk3ZDQzODE5ZmEwZTFjZWZmMTExY2MiLCJzaWQiOiJfNDZhNDQwZGJhZTFjNTRmYTNmNDZjNTBmOGExNjNlNDgiLCJhdWQiOiJodHRwczovL2lkcC10ZXN0LnVuaS1rb25zdGFuei5kZSIsInJvb3RfanRpIjoiX2I5MDVlM2NlYzFkYmY1ZTEyOTE0OTdjNzAzODIxMDVmIiwiYXV0aF90aW1lIjoxNzQ5NTY3NTk2LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZXhwIjoxNzQ5NTY4MTk3LCJpYXQiOjE3NDk1Njc1OTcsImp0aSI6Il80YTE4OTYzNWZjNGI4NDA1NzU4OThkM2U3MWQ3ZmQ3ZCJ9.Zy_VYLRJ_1HvZW_LVjjySQHPon2cDLvmiwZAwgiqm1n4GnnruaJ4QqrO1rChbkq4Cm2lgw6jtiCWJR2N889VkV2f4g4BtzwDUbO5to9gNLLapJnXVTeaXrXdWYE-nR0p4hnoZzrGTATKQ9Q38HH286ujIdyskBIYhib2KKdGYDKQ_cB2hZoyhIbPfOcoO1cqXj51SKuA1KNRcxZZfJ_IEMLH4g0aSVirHj5qgCMMkaoe_dT2txJM_MJV2862hn0qDd8Ma8QTadEKhicyBYutf8Y9FV7zp9zOig6JXMca6-VjTLkExUf0mj6PriV9-CXQAYk8igUiEnsX0cAHhmK3y5JpMvYLztUxs0XOoNPZF_5JErmnbYSYf3WFP4DbeIus7TKDWp9VVGXxDBTFc4gAfDLo5mJyxcGd3ITbioiMJ39jy0y4s57Xz2wrskQsa0wLS04GVQVBLfMyXjAiMFeBGaTEBaBnjfyUKAqM7bKeDOgBuOFqcb-Mj1LqEsU9qbaB"; "expires_in" = 600; "id_token" = "eyJraWQiOiJkZWZhdWx0UlNBU2lnbiIsImFsZyI6IlJTNTEyIn0.eyJhdF9oYXNoIjoiZ0c4NW91eVZQajlXY3NUU3NuYUxfaXVWZjRuOWlKbU9Jc0RKR05JcTYtYyIsInN1YiI6ImZiNGVkZDdmN2IyNDc5ODY3NDNiYzQ3NDM4NTUzZDUwIiwiYXVkIjoiX2ExM2ExZmMyMjg5N2Q0MzgxOWZhMGUxY2VmZjExMWNjIiwiYXV0aF90aW1lIjoxNzQ5NTY3NTk2LCJpc3MiOiJodHRwczovL2lkcC10ZXN0LnVuaS1rb25zdGFuei5kZSIsImV4cCI6MTc0OTU3MTE5NywiaWF0IjoxNzQ5NTY3NTk3LCJzaWQiOiJfNDZhNDQwZGJhZTFjNTRmYTNmNDZjNTBmOGExNjNlNDgifQ.kY_j8F9hRtVnGBdnJxLxMQQyyC8adDJgyIbeECyeqv_TrARhXgEIwqemOJW50cesL-GYdfKDo4ofY_BGGivJjv_OPtL3AGhqDRUAMFfZsv4UdFSAAGmZHHX0vWS5LRfJ7GrsztTl1uCD--ZlbDT3afLn94WR3UtrasxRZIOrw_0uf39BQ5gyqwybg8HujjaKDJswXveE28KyMNwWsmGTLtnbxyUk3rb3vMH0LoDCD7_b1WZr4HwYe6FVUCDp-r2PK59mLcZC3PNVoXc5V2MNlJc3HD9wH8GsCmDpsZCSDaYxDi3StwdPmVbGoXLOwl3GtBHD6InthS1169XyMV4xbwwTEEz21hoZXCOvnlo6lobKq4S4sn34Z_rVKEwvJy_6NQ2AVtreZRq22AO4p6Xhi6AJmu1tvcsyX5LiT3C4Vr3F6ZIJ-7tN7GBc6GX06d5YvP5vcZkpbpWJOAFrkMjxKJ9GbaCDhKE05qopVyK_uL2n0dgtrUKQyV5lp_nDXT17"; scope = "openid profile email"; "token_type" = Bearer; } ... Breakpoint 2: ... Breakpoint 2, -[GCSOpenIdFolder writeOpenIdSession:withOldSession:withRefreshToken:withExpire:withRefreshExpire:] ( self=0x555555d24d30, _cmd=0x7ffff7fb3ac0 <_OBJC_SELECTOR_TABLE+1152>, _user_session=0x555555dd5ec0, _old_session=0x7ffff7e2b860 <_OBJC_INSTANCE_13.6>, _refresh_token=0x0, _expire=0x5555559e0c30, _refresh_expire=0x0) at GCSOpenIdFolder.m:310 310 GCSOpenIdFolder.m: Datei oder Verzeichnis nicht gefunden. (gdb) p nowExpire $2 = 1749568412 (gdb) po nowExpire Cannot access memory at address 0x68484b9c (gdb) ...

qhivert 2025-06-10 15:17 administrator ~0018253	Beware the last one is `po newRecord` All I can see seems all right, the value 600 is correctly fetch and nowExpire is timsestamp + 600. newRecord is the value used for the sql query. After the last breakpoint, type `c`to continue the process and see if the bug appears.

markus.grandpre 2025-06-11 07:00 reporter ~0018254	Breakpoint 1, -[GCSOpenIdFolder writeOpenIdSession:withOldSession:withRefreshToken:withExpire:withRefreshExpire:] (self=0x555555d8d670, _cmd=0x7ffff7fb3ac0 <_OBJC_SELECTOR_TABLE+1152>, _user_session=0x555555c95910, _old_session=0x7ffff7e2b860 <_OBJC_INSTANCE_13.6>, _refresh_token=0x0, _expire=0x555555c25ee0, _refresh_expire=0x0) at GCSOpenIdFolder.m:310 310 GCSOpenIdFolder.m: Datei oder Verzeichnis nicht gefunden. (gdb) po newRecord {"c_old_session" = ""; "c_session_started" = 1749625130; "c_user_session" = "eyJraWQiOiJkZWZhdWx0UlNBU2lnbiIsInR5cCI6ImF0K2p3dCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJmYjRlZGQ3ZjdiMjQ3OTg2NzQzYmM0NzQzODU1M2Q1MCIsImlzcyI6Imh0dHBzOi8vaWRwLXRlc3QudW5pLWtvbnN0YW56LmRlIiwiZm9yX29wIjoiQUFkelpXTnlaWFF4bWZRd3FETWpTTGJJSFg1UEdRM0t3blZyQzVfdld0SWUwcDVTb19GQWtuVFg4SHVCNnRJS2hQNjFHM2ZBcS1rOTI2aWJheFE4cDR3cFE5REdVU1pUZTNmVkl0MG1ERWJmLUM0bDU0QXNuTEZSZ3psR1ozcERabkpSajJKTlFNXzNSYUhwT1d6R1FmQ1oiLCJjbGllbnRfaWQiOiJfYTEzYTFmYzIyODk3ZDQzODE5ZmEwZTFjZWZmMTExY2MiLCJzaWQiOiJfY2Q1NmNhNTdjNDViODBjZDg3NzRmZGIxZjBjYjU5YTciLCJhdWQiOiJodHRwczovL2lkcC10ZXN0LnVuaS1rb25zdGFuei5kZSIsInJvb3RfanRpIjoiXzVkY2JkMjA1YjVjNGY5MGY4MTI0ODI2MTE5NGNmNTIxIiwiYXV0aF90aW1lIjoxNzQ5NjI1MDIzLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZXhwIjoxNzQ5NjI1NjIzLCJpYXQiOjE3NDk2MjUwMjMsImp0aSI6Il82Y2FkZjgwMzExZWYxZWVmNTBmZWU0MmEzZjRkMThkMyJ9.AOLZoZJNnLBBsoCZbksh-I2Rrn2D5OfygjaJWZj1yES5JTlzqkDhW6GvYwAWo9PMinNjqqrnhY1ILdoTG0lf7eL-tKW0JWNlzSb0dp5hFjAsqya2pJSYWw9JOtx4qLpATvRXtvSrZ7UdQ2CFxLlCMFx5O1uzUPymgsvZxONo-X2ieLUr6xT_GJa9MybWij9SrVxxLYUgVfI4kJQObMBhRYazckqWga-Jt04FzL_IolNndwb24m4YH6TT8mdyBTUQ6fTJNwlHNkNT-uuc6LyMjrpJHU_kCI0nVhB5H1UfUhX-R2JIwrYWPa0_JmCLDaAmvTOczZwYHelX5eJ463re1ccPN5CxRPdbyB7oA6dLMrTx_DK8ilWnpyiuLNLjMyjOSUG5fMqXY9iDCdvrlojhmetStUMU4CanVco4ptFbLkDvwNXB3iNPof63JDd6Sg-qiwN5Y1f4tiLrvMPAheKqtuInQ_m3KKjd7K-qDn25JO0_GN80wp_uJHVm6deE10RT"; }

qhivert 2025-06-11 08:31 administrator ~0018257 Last edited: 2025-06-11 08:36	Ok i've found the culprit and made a fix. I've build the package in a custom repo before pushing into the nightly. First remove sogo and change the repo url (assuming your test server is also debian jessie) deb https://packages.sogo.nu/custom/openid_curl/debian/ jessie jessie When fixing it I notice you have SOGoOpenIdEnableRefreshToken = YES; but your openid server doesn't seems to handle it (it doesn't return any refresh token). It may be a simple configuration to do on your Shibboleth server and/or adding a scope in SOGoOpenIdScope .

markus.grandpre 2025-06-11 08:37 reporter ~0018258	Thank you very much. I've build the package in a custom repo before pushing into the nightly. So I will install the updated package tomorrow and will get back to you with the result. SOGoOpenIdEnableRefreshToken = YES; I guess it would be more appropriate setting this option to NO and adding a SOGoOpenIdScope? Best regards, Markus

qhivert 2025-06-11 08:42 administrator ~0018259	So I will install the updated package tomorrow and will get back to you with the result. Sorry, I meant I didn't push the fix into the main branch so it won't be in the nightly yet. Hence the custom repo so people can test it and check it. If you can change the repo and check it works correctly, it will help me a lot. I guess it would be more appropriate setting this option to NO and adding a SOGoOpenIdScope? The refresh token is not mandatory and purely a openid server config. For example with keycloak, the resfresh token is by default and no need to modify the scope With Authentik I need to configure authentik and add 'offline_access' to my scope. No idea for Shibboleth. If you're unsure about it, just set SOGoOpenIdEnableRefreshToken to NO.

markus.grandpre 2025-06-12 08:01 reporter ~0018262	First remove sogo and change the repo url (assuming your test server is also debian jessie) deb https://packages.sogo.nu/custom/openid_curl/debian/ jessie jessie we are on Debain 11 (bullseye)

qhivert 2025-06-12 09:05 administrator ~0018263	Hi, I've build the packages for debian 11. deb https://packages.sogo.nu/custom/openid_curl/debian/ bullseye bullseye

markus.grandpre 2025-06-12 12:30 reporter ~0018266	After installing sogo and sogo-dbg v5.12.1.20250612-1 i did not encounter any postgresql errors in the log file. Database table "sogo_openid" has been successfully updated. Thank you very much. Best regards, Markus

Date Modified	Username	Field	Change
2025-06-10 10:15	markus.grandpre	New Issue
2025-06-10 10:15	markus.grandpre	Tag Attached: oidc
2025-06-10 10:15	markus.grandpre	Tag Attached: postgresql
2025-06-10 10:15	markus.grandpre	Tag Attached: xoauth2
2025-06-10 10:18	qhivert	Assigned To	=> qhivert
2025-06-10 10:18	qhivert	Status	new => assigned
2025-06-10 10:22	qhivert	Note Added: 0018244
2025-06-10 10:22	qhivert	Status	assigned => feedback
2025-06-10 10:28	markus.grandpre	Note Added: 0018245
2025-06-10 10:28	markus.grandpre	Status	feedback => assigned
2025-06-10 11:00	markus.grandpre	Note Added: 0018246
2025-06-10 11:12	qhivert	Note Added: 0018247
2025-06-10 11:12	qhivert	Status	assigned => feedback
2025-06-10 11:55	markus.grandpre	Note Added: 0018248
2025-06-10 11:55	markus.grandpre	Status	feedback => assigned
2025-06-10 12:41	qhivert	Note Added: 0018249
2025-06-10 12:41	qhivert	Status	assigned => feedback
2025-06-10 13:56	markus.grandpre	Note Added: 0018250
2025-06-10 13:56	markus.grandpre	Status	feedback => assigned
2025-06-10 14:13	qhivert	Note Added: 0018251
2025-06-10 14:13	qhivert	Status	assigned => feedback
2025-06-10 15:05	markus.grandpre	Note Added: 0018252
2025-06-10 15:05	markus.grandpre	Status	feedback => assigned
2025-06-10 15:17	qhivert	Note Added: 0018253
2025-06-10 15:17	qhivert	Status	assigned => feedback
2025-06-11 07:00	markus.grandpre	Note Added: 0018254
2025-06-11 07:00	markus.grandpre	Status	feedback => assigned
2025-06-11 08:31	qhivert	Note Added: 0018257
2025-06-11 08:31	qhivert	Status	assigned => feedback
2025-06-11 08:36	qhivert	Note Edited: 0018257
2025-06-11 08:37	markus.grandpre	Note Added: 0018258
2025-06-11 08:37	markus.grandpre	Status	feedback => assigned
2025-06-11 08:42	qhivert	Note Added: 0018259
2025-06-11 08:42	qhivert	Status	assigned => feedback
2025-06-12 08:01	markus.grandpre	Note Added: 0018262
2025-06-12 08:01	markus.grandpre	Status	feedback => assigned
2025-06-12 09:05	qhivert	Note Added: 0018263
2025-06-12 09:05	qhivert	Status	assigned => feedback
2025-06-12 12:30	markus.grandpre	Note Added: 0018266
2025-06-12 12:30	markus.grandpre	Status	feedback => assigned
2025-06-23 07:21	qhivert	Status	assigned => resolved
2025-06-23 07:21	qhivert	Resolution	open => fixed
2025-06-23 07:21	qhivert	Fixed in Version	=> 5.12.2

View Issue Details

systemctl stop sogo

/usr/sbin/sogo-tool expire-sessions 0

Activities

Issue History