inventree
PUI login issue with OpenIDConnect
Please verify that this bug has NOT been raised before.
- [X] I checked and didn't find a similar issue
Describe the bug*
When using the PUI login form and logging in with a OpenIDConnect provider it gives an error. Using the regular login works.
OpenIDConnectAdapter.__init__() missing 1 required positional argument: 'provider_id'
Steps to Reproduce
You need to add an OpenIDConnect provider and try to login in with it on the PUI login page.
Expected behaviour
To get logged in without an error.
Deployment Method
- [X] Docker
- [ ] Package
- [ ] Bare metal
- [ ] Other - added info in Steps to Reproduce
Version Information
Version Information:
InvenTree-Version: 0.15.8 Django Version: 4.2.14 Commit Hash: aed43b0 Commit Date: 2024-08-08
Database: postgresql Debug-Mode: False Deployed using Docker: True Platform: Linux-6.1.21-v8+-aarch64-with Installer: DOC
Active plugins: [{'name': 'InvenTreeBarcode', 'slug': 'inventreebarcode', 'version': '2.0.0'}, {'name': 'InvenTreeCoreNotificationsPlugin', 'slug': 'inventreecorenotificationsplugin', 'version': '1.0.0'}, {'name': 'InvenTreeCurrencyExchange', 'slug': 'inventreecurrencyexchange', 'version': '1.0.0'}, {'name': 'InvenTreeLabel', 'slug': 'inventreelabel', 'version': '1.0.0'}, {'name': 'InvenTreeLabelMachine', 'slug': 'inventreelabelmachine', 'version': '1.0.0'}, {'name': 'InvenTreeLabelSheet', 'slug': 'inventreelabelsheet', 'version': '1.0.0'}, {'name': 'DigiKeyPlugin', 'slug': 'digikeyplugin', 'version': '1.0.0'}, {'name': 'LCSCPlugin', 'slug': 'lcscplugin', 'version': '1.0.0'}, {'name': 'MouserPlugin', 'slug': 'mouserplugin', 'version': '1.0.0'}, {'name': 'TMEPlugin', 'slug': 'tmeplugin', 'version': '1.0.0'}]
Please verify if you can reproduce this bug on the demo site.
- [ ] I can reproduce this bug on the demo site.
Relevant log output
Environment:
Request Method: GET
Request URL: http://.../api/auth/social/openid_connect/login/
Django Version: 4.2.14
Python Version: 3.11.9
Installed Applications:
['django.contrib.admin',
'build.apps.BuildConfig',
'common.apps.CommonConfig',
'company.apps.CompanyConfig',
'plugin.apps.PluginAppConfig',
'label.apps.LabelConfig',
'order.apps.OrderConfig',
'part.apps.PartConfig',
'report.apps.ReportConfig',
'stock.apps.StockConfig',
'users.apps.UsersConfig',
'machine.apps.MachineConfig',
'web',
'generic',
'InvenTree.apps.InvenTreeConfig',
'django.contrib.auth',
'django.contrib.contenttypes',
'user_sessions',
'whitenoise.runserver_nostatic',
'django.contrib.messages',
'django.contrib.staticfiles',
'maintenance_mode',
'django_filters',
'rest_framework',
'corsheaders',
'crispy_forms',
'import_export',
'django_cleanup.apps.CleanupConfig',
'mptt',
'markdownify',
'djmoney',
'djmoney.contrib.exchange',
'error_report',
'django_q',
'formtools',
'dbbackup',
'taggit',
'flags',
'allauth',
'allauth.account',
'allauth.socialaccount',
'django_otp',
'django_otp.plugins.otp_totp',
'django_otp.plugins.otp_static',
'allauth_2fa',
'dj_rest_auth',
'dj_rest_auth.registration',
'drf_spectacular',
'django_ical',
'allauth.socialaccount.providers.openid_connect']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'x_forwarded_for.middleware.XForwardedForMiddleware',
'user_sessions.middleware.SessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'corsheaders.middleware.CorsMiddleware',
'whitenoise.middleware.WhiteNoiseMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'InvenTree.middleware.InvenTreeRemoteUserMiddleware',
'django_otp.middleware.OTPMiddleware',
'InvenTree.middleware.CustomAllauthTwoFactorMiddleware',
'allauth.account.middleware.AccountMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'InvenTree.middleware.AuthRequiredMiddleware',
'InvenTree.middleware.Check2FAMiddleware',
'maintenance_mode.middleware.MaintenanceModeMiddleware',
'InvenTree.middleware.InvenTreeExceptionProcessor']
Traceback (most recent call last):
File "/root/.local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/lib/python3.11/site-packages/allauth/socialaccount/providers/oauth2/views.py", line 83, in view
self.adapter = adapter(request)
^^^^^^^^^^^^^^^^
Exception Type: TypeError at /api/auth/social/openid_connect/login/
Exception Value: OpenIDConnectAdapter.__init__() missing 1 required positional argument: 'provider_id'
Note: This seems to apply to all methods that use the API to do a SSO login call with a OIDC provider. There seems to be no coverage on API logins. Would probably be fixed by https://github.com/inventree/InvenTree/pull/6293
I'm using authentik, this is the specific provider within authentik I'm using https://docs.goauthentik.io/docs/providers/oauth2/
When I click the SSO login button it redirects me to https://.../platform/null with a 404 page.
I haven't changed anything regarding the SSO login.
When clearing the session the following is returned by https://.../api/auth/providers/
{"sso_enabled":true,"sso_registration":true,"mfa_required":false,"mfa_enabled":true,"providers":[{"id":"openid_connect","name":"OpenID Connect","configured":true,"login":null,"connect":null,"display_name":"Internal"}],"registration_enabled":false,"password_forgotten_enabled":true}
Version Information:
InvenTree-Version: 0.16.8 Django Version: 4.2.15 Commit Hash: f23d405 Commit Date: 2024-11-07
Database: postgresql Debug-Mode: False Deployed using Docker: True Platform: Linux-6.1.21-v8+-aarch64-with Installer: DOC
Active plugins: [{'name': 'InvenTreeBarcode', 'slug': 'inventreebarcode', 'version': '2.1.0'}, {'name': 'InvenTreeCoreNotificationsPlugin', 'slug': 'inventreecorenotificationsplugin', 'version': '1.0.0'}, {'name': 'InvenTreeCurrencyExchange', 'slug': 'inventreecurrencyexchange', 'version': '1.0.0'}, {'name': 'InvenTreeLabel', 'slug': 'inventreelabel', 'version': '1.1.0'}, {'name': 'InvenTreeLabelMachine', 'slug': 'inventreelabelmachine', 'version': '1.0.0'}, {'name': 'InvenTreeLabelSheet', 'slug': 'inventreelabelsheet', 'version': '1.0.0'}, {'name': 'DigiKeyPlugin', 'slug': 'digikeyplugin', 'version': '1.0.0'}, {'name': 'LCSCPlugin', 'slug': 'lcscplugin', 'version': '1.0.0'}, {'name': 'MouserPlugin', 'slug': 'mouserplugin', 'version': '1.0.0'}, {'name': 'TMEPlugin', 'slug': 'tmeplugin', 'version': '1.0.0'}]
@GoryMoon can you provide how you configure it? Please make sure to not include full tokens but the settings you used
It would also be interesting if you are using the opened or openid_connect provider
To note, my current config works in the old UI but not in PUI.
In the config file I have this:
social_backends:
- 'allauth.socialaccount.providers.openid_connect'
Admin interface config (I added the key to test but didn't change anything):
@GoryMoon where are you seeing the error exactly when you try to login via PUI?
The log that I attached was from the error page in the Admin interface. At the moment I can't get that error again because of the error above sending me to a 404 page.
Yes, SSO login works with the "classic" interface.
This is the redirects that happens when I click the SSO button in the "classic" interface it it's of any interest. (I made sure to remove all sensitive parts)
The auth. subdomain contains my authentik installation and inventree. is my inventree installation. Both run on the same server as docker containers.
| Status Code | URL | IP | Page Type | Redirect Type | Redirect URL |
|---|---|---|---|---|---|
| 302 | https://inventree.example.com/accounts/x2/login/?process=login&next=%2F | 10.0.0.2 | server_redirect | temporary | https://auth.example.com/application/o/authorize/?client_id=dummy_client_id&redirect_uri=http%3A%2F%2Finventree.example.com%2Faccounts%2Fx2%2Flogin%2Fcallback%2F&scope=profile+email+openid&response_type=code&state=dummy_state |
| 302 | https://auth.example.com/application/o/authorize/?client_id=dummy_client_id&redirect_uri=http%3A%2F%2Finventree.example.com%2Faccounts%2Fx2%2Flogin%2Fcallback%2F&scope=profile+email+openid&response_type=code&state=dummy_state | 10.0.0.2 | server_redirect | temporary | https://auth.example.com/if/flow/default-provider-authorization-implicit-consent/?client_id=dummy_client_id&redirect_uri=http%3A%2F%2Finventree.example.com%2Faccounts%2Fx2%2Flogin%2Fcallback%2F&scope=profile+email+openid&response_type=code&state=dummy_state |
| 200 | https://auth.example.com/if/flow/default-provider-authorization-implicit-consent/?client_id=dummy_client_id&redirect_uri=http%3A%2F%2Finventree.example.com%2Faccounts%2Fx2%2Flogin%2Fcallback%2F&scope=profile+email+openid&response_type=code&state=dummy_state | 10.0.0.2 | normal | none | none |
| 301 | http://inventree.example.com/accounts/x2/login/callback/?code=dummy_code&state=dummy_state | 10.0.0.2 | server_redirect | permanent | https://inventree.example.com/accounts/x2/login/callback/?code=dummy_code&state=dummy_state |
| 302 | https://inventree.example.com/accounts/x2/login/callback/?code=dummy_code&state=dummy_state | 10.0.0.2 | server_redirect | temporary | https://inventree.example.com/ |
| 302 | https://inventree.example.com/ | 10.0.0.2 | server_redirect | temporary | https://inventree.example.com/index/ |
In the PUI interface it sends me directly from https://inventree.example.com/platform/login to https://inventree.example.com/platform/null
In the PUI interface it sends me directly from https://inventree.example.com/platform/login to https://inventree.example.com/platform/null
Do you mean immediately as you click the "login with SSO" button? Does it 302 you to /platform/null/? Any further log traces?
Can you share (please redact any sensitive information) what you get at this API endpoint:
https://inventree.example.com/api/auth/providers/
In particular what is the the list of providers: []
Does your provider "x2" exist here - and does it provide a "login" attribute?
If the "login" attribute is null - that will not get caught properly by the frontend (currently). It could creep in from here:
@SchrodingersGat I already have a fix locally for OIDC but it breaks Entra ID auth, I should get it working this week
@matmair we should make sure that the frontend correctly handles the case where the "login" attribute is not provided. Will your fix include that or should I submit it separately?
Can you share (please redact any sensitive information) what you get at this API endpoint:
https://inventree.example.com/api/auth/providers/
I shared that above at https://github.com/inventree/InvenTree/issues/7972#issuecomment-2470566304 but here it is again:
{
"sso_enabled": true,
"sso_registration": true,
"mfa_required": false,
"mfa_enabled": true,
"providers": [
{
"id": "openid_connect",
"name": "OpenID Connect",
"configured": true,
"login": null,
"connect": null,
"display_name": "X2 Internal"
}
],
"registration_enabled": false,
"password_forgotten_enabled": true
}
Do you mean immediately as you click the "login with SSO" button? Does it 302 you to /platform/null/? Any further log traces? It's the path that I'm redirected to once I click the button.
Looking in the "Network" tab when clicking the SSO button it first does a PUT to api/web/ui_preference/ with 200.
Then it does a GET when navigating to /platform/null where it displays the 404 message.
In the server logs it's just the above mentioned calls before the assets are loaded.
10.0.0.10 - - [19/Nov/2024:14:11:32 +0100] "PUT /api/web/ui_preference/ HTTP/1.0" 200 54 "https://inventree.example.com/platform/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
10.0.0.10 - - [19/Nov/2024:14:11:32 +0100] "GET /platform/null HTTP/1.0" 200 639 "https://inventree.example.com/platform/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"
I don't have any OpenTelemetry tracing setup at the moment.
@GoryMoon thanks, and sorry that I missed that you had already shared that information.
@matmair if the SSO config works correctly for CUI, any idea why it is reporting a "null" value for the login and connect attributes via the API?
@GoryMoon I have a solution in https://github.com/inventree/InvenTree/pull/8527 that might be interesting; I do not recommend switching production to it as it is in the not-released 0.17.x release series