oath2_json_decode_object error in 1.5.1
Closed this issue · 5 comments
I just tested 1.5.1 and it always fails for me with the error: oauth2_json_decode_object: json_loads failed: '[' or '{' expected near '<'. I'm doing nothing new as far as I'm aware (it fails regardless of the verify.iss setting):
OAuth2TokenVerify metadata https://{{ domain }}/.well-known/openid-configuration metadata.ssl_verify=false
...
<Location />
AuthType oauth2
Require valid-user
OAuth2TargetPass remote_user_claim=preferred_username
</Location>
Generated a fresh token with KeyCloak.I modified the token a bit with jwt.io, but I can reproduce the problem with this token:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InloTWpPd0p4VXljOXhUdFRkcUtHd3dReG1EU29UQkdVY0tkRXZUd0xCcmcifQ.eyJleHAiOjE2ODI5Nzg2MDYsImlhdCI6MTY4MTk3ODYwNiwianRpIjoiaWQiLCJpc3MiOiJteWlzc3VlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJteXN1YiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib25lIiwidHdvIiwidGhyZWUiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm9uZSIsInR3byIsInRocmVlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJhcGkiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiZ3JvdXAxIiwiZ3JvdXAyIiwiZ3JvdXAzIl0sInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcGkiLCJjbGllbnRBZGRyZXNzIjoiMTI3LjAuMC4xIn0.K9cK29xpkY0CCMBTE2W-zEIbj2FruW-f2a6WyM7Hu970znxVHiSoVb15aSt7mSKHWY-9iHqk_h_HQSFHxUL_EMUcS0hKAD-cwFif1jK4ZT0fP9vxIsuaU0G1TFd7xMQrY42CNdR1_tXHb9FdZmn7-ycArYOJ54w1noU2--6J7FY4G-fy5hGB-YroMisodr5ysnhhdHtW3W7Ci8HduqPJ-ueZ1uPIjB9kILY2A4N2kVIs3wa-xOBATOF3EMvJx6QZliRmmXxppPcMFlz3YWD-JXTt8s8k9EQEVzbyXqeJHMBaXFDsc6Em5RM4brGgEqXmh7IbpSAoq9-7rcN2Vk6rQA
I would build and test for you, once you have a patch, but I'm not sure what the quickest way is to build for a specific platform (I'm running ubuntu 22.04 locally, while our servers run 20.04). I could build on one of our test servers, if there is no other solution. Please let me know.
can you show more entries leading up to this?
There are no other errors/warning, but will try with debugging enabled.
my best guess is that the metadata endpoint is returning HTML instead of JSON
Sorry, had some meetings in between. But It seems you're almost right, its just not the metadata endpoint AFAIK:
[Thu Apr 20 16:54:54.540717 2023] [ssl:debug] [pid 247157:tid 140472240551680] ssl_engine_kernel.c(415): [client 127.0.0.1:49690] AH02034: Subsequent (No.3) HTTPS request received for child 23 (server my.site.tld:443)
[Thu Apr 20 16:54:54.540773 2023] [auth_openidc:debug] [pid 247157:tid 140472240551680] src/util.c(1443): [client 127.0.0.1:49690] oidc_util_request_matches_url: comparing "/auth/realms/int0.crunchrapps.com/broker/keycloak/login"=="/redirect"
[Thu Apr 20 16:54:54.540783 2023] [proxy:debug] [pid 247157:tid 140472240551680] mod_proxy.c(1254): [client 127.0.0.1:49690] AH01143: Running scheme http handler (attempt 0)
[Thu Apr 20 16:54:54.540788 2023] [proxy:debug] [pid 247157:tid 140472240551680] proxy_util.c(2341): AH00942: HTTP: has acquired connection for (localhost)
[Thu Apr 20 16:54:54.540792 2023] [proxy:debug] [pid 247157:tid 140472240551680] proxy_util.c(2395): [client 127.0.0.1:49690] AH00944: connecting http://localhost:8080/auth/realms/int0.crunchrapps.com/broker/keycloak/login?session_code=<code>&client_id=apache2&tab_id=<tabid> to localhost:8080
[Thu Apr 20 16:54:54.540797 2023] [proxy:debug] [pid 247157:tid 140472240551680] proxy_util.c(2604): [client 127.0.0.1:49690] AH00947: connected /auth/realms/int0.crunchrapps.com/broker/keycloak/login?session_code=<code>&client_id=apache2&tab_id=<tabid> to localhost:8080
[Thu Apr 20 16:54:54.549433 2023] [proxy:debug] [pid 247157:tid 140472240551680] proxy_util.c(2356): AH00943: http: has released connection for (localhost)
[Thu Apr 20 16:54:54.549556 2023] [ssl:debug] [pid 247157:tid 140472240551680] ssl_engine_io.c(1102): [client 127.0.0.1:49690] AH02001: Connection closed to child 23 with standard shutdown (server my.site.tld:443)
[Thu Apr 20 16:54:54.550465 2023] [oauth2:debug] [pid 247157:tid 140472265729792] src/http.c(1102): [client 127.0.0.1:49676] oauth2_http_call: HTTP response code=400
[Thu Apr 20 16:54:54.550801 2023] [oauth2:debug] [pid 247157:tid 140472265729792] src/http.c(1120): [client 127.0.0.1:49676] oauth2_http_call: leave [1]: <!DOCTYPE html>\n ............
[Thu Apr 20 16:54:54.550858 2023] [oauth2:debug] [pid 247157:tid 140472265729792] src/http.c(1142): [client 127.0.0.1:49676] oauth2_http_get: leave: 1
[Thu Apr 20 16:54:54.550868 2023] [oauth2:debug] [pid 247157:tid 140472265729792] src/jose.c(2125): [client 127.0.0.1:49676] oauth2_jose_resolve_from_uri: leave: <!DOCTYPE html>\n ...........
[Thu Apr 20 16:54:54.550913 2023] [oauth2:error] [pid 247157:tid 140472265729792] [client 127.0.0.1:49676] oauth2_json_decode_object: json_loads failed: '[' or '{' expected near '<'
Nevermind, seems to be my fault. Indeed configured the wrong metadata endpoint by accident! 😅 There is still something else failing, but that seems to be on my side. Thanks for the help again and sorry to bother with a problem on my end.