Oauth2 Authentication Issues Windows IIS

It should return something like this

So if you can’t reach this endpoint then the python script will never work.

I know @paul121 asked you earlier, but you have generated the keys? and then clicked save
/admin/config/people/simple_oauth

I’ve just tested again incase my memory was mistaken, but I can confirm that
OAuth2 does not require SSL.
The endpoint looks the same with http:// or https//

Screenshot 2022-10-03 193627

I have done this and both these files are also empty

Shouldn’t be empty, perhaps a folder permissions issue?
You need to click generate and then save at the bottom

files should contain something like

-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDsEbpuJ41Ml+TJ
pcv9X0/SOGZRuBhXqUfRT7oxC7oJ/MxheSDxEd9msEF1v81qWNdYLKWUGFRNE4ZW
B8AvdckA8sMevrbwf6yQCR+pWodG5SPpYeHVa5LuFJ9B/gzbIQoLSXGGIAL0jkHD
knH+7OSl4vnmwiVOATbTtpsH7ma6Wk4fOmKJ804NttxSIR9vvKZEJHOb4CLkkoOB
yUOuowhv6xY5ZYUtN9SSgcC0dwGmoOGwyOyBfKkaED6LpyV/FS//z34+23LT6shV
OKiOd5jZTFXtmK34YNyqNhBJa6MnkVYSeLz3+4dpyb2xkJhBE5FT7xevzZh82Yd1
9j+XiCC2JmsIrbkDHWuTyZTmvmpn5xtkdKkDKfiqy2SgHxu8gecoTZCDobbjjvpM
Dj/8TXPL92CtGuVnLjOGF3Tb5DX+qv3hNVjhqw+5N4B/I/RPtqUgeA6YLzhivl7s
Fw2TAYM7fjE0haf2UOq+0towepTfu9aGzaytfIPbWicyb5pHwqb4s6XA9dmESs9i
a5BE42irfKbqzhv9ozvu2F0E75kZUU5j9F0gVvzqYo2OSOzv1jRJExW5RzpJ+qLR
/fhSUUo1IS4HUomGb/YSH4VVQoqhDPIt1PzbgsuIIiSn3dsCwt4QacgRVPqcvL3Y
qsCd+rM7ZWg23pOqTkRyhVimqT0zNwIDAQABAoICAQCNH0P92fMkWKFS0qSRwUqs
dz7jl1QmA3KFdE3wR/xdQBzGIG1K785HSxK224RnENkbQwVw9OJgeU2TXGrNdHJG
+NkgJg6i0xBLwsiEqzO3c//14qfot7hMT1OtVbxFuwiQGsWc0sIxhGFYEtHG/cLq
UDfodSNr8FngUod3RFNxD88n5/VEVojQtgIbruVmHLaggdIC2wjA771h9vlZCule

I wonder about the slashes in the path being in 2 different directions?
Don’t have any experience of Windows Web servers but it doesn’t look right, perhaps a relative path rather than a windows C:/ root path is needed there?

Has something else changed since this morning though?
you started out with 403 error (Forbidden)
but now its a 404 error (not found)

The only thing that has changed is the way I test it :wink: this poring I ran a python script and get the info from the log file.

I have changed the directory but the key files are still empty.

1 Like

Seems to me like like path and or file/folder permissions issues, but I can’t offer any advice on how to resolve for a Windows based server.

edit:
Actually looking back to your logs, it looks like 404’s all along.

Thank you for all the help, I will let you know if I found the problem. This is also my first windows server. Linux is a lot easier :smile:

1 Like

If so, then Why? :stuck_out_tongue_winking_eye:

I think before trying the python script again. Seeing RSA keys in those files is a must, also need to be able to navigate to the endpoint in a browser, (If it says invalid client its normal as parameters aren’t passed)

But good luck with it.

Edit:
Just one more thing, does generate keys button return any errors?

Just one more thing, does generate keys button return any errors? no errors, create the files but no content.

1 Like

Oh, I have a theory, but you probably need to wait for the devs to come back to this conversation, they are at a conference for the next few days so might not be as active as normal.

I wonder if this is Windows related? I know Windows is not the recommend platform for farmOS. I wonder if the script to generate the RSA keys has a dependency that is generally found in Linux but missing from Windows or perhaps would just need some modification.

I’ll leave it to @mstenta or @paul121 to have a look.

Edit:

I wonder if you generated the keys manually and replaced the empty files? Possibly still missing something to create the endpoint then.

OK, I’m definitely leaving it here as I’ve probably already wondered too far down the wrong rabbit hole.

The only thing I see, Keys are generated by PHP so not really a Linux Windows thing but there seems to be a filesystem check which I suppose windows may fail.

perhaps this could be worth a read.

I’m seeing warnings about my private key file permissions. What should I do?

The upstream OAuth library checks the private key’s file permissions by default. This is suitable in certain server configurations, however in some modern environments (e.g., containerized workloads) where secrets are injected into the environment and owned by a user different from the web daemon’s run-as user, this is a false-positive. In these scenarios, you can use the Settings API to set the value passed to CryptKey::__construct() for checking the file permission:

In settings.php: $settings['simple_oauth.key_permissions_check'] = FALSE;

Also worth checking https://geosrv4/admin/reports/dblog for any errors if you have not already. especially immediately after trying to generate keys.

Chiming in quick… :wink:

no errors, create the files but no content.

Huh that is strange. Worth noting that the “Generate keys” button is just a handy helper, but you can also generate the keys manually and put them into place. This command will do it (on Linux, not sure Windows… but if you can do this on a Linux box and copy the files over that should work).

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key

(that is per the simple_oauth module README.md: README.md · 5.2.x · project / simple_oauth · GitLab)

IIS 10.0 Detailed Error - 404.0 - Not Found

The 404 you are showing is not coming from farmOS, it’s coming from IIS.

Do you have farmOS installed in a web subdirectory? If so, you need to be making your requests to /web/oauth/token not /oauth/token.

I wonder about the slashes in the path being in 2 different directions?

I would also recommend fixing this. I don’t know if it would cause an issue, but I wouldn’t be surprised.

So instead of:

C:\inetpub\wwwroot\Cer/public.key

It should be:

C:\inetpub\wwwroot\Cer\public.key

(and same for private key)

Good luck!

1 Like

Hi, thanks for the info, the private and public key is now sorted. I installed OpenSSL for windows and it creates the keys from FarmOs.

I have a web subdirectory and have tried

curl -X POST -d “grant_type=password&username=XXXXXXX&password=XXXXXXXX&client_id=farm&scope=farm_manager” https://geosrv4/web/oauth/token

But still, get an error here is the log entry

2022-10-05 10:56:19 fe80::cc04:a747:6c1e:936f%6 POST /web/oauth/token - 443 - fe80::cc04:a747:6c1e:936f%6 curl/7.83.1 - 405 0 1 8

When I browse to the web folder and oauth/token it is also empty

Good progress @silverlynxconsulting! Now it’s just the 403 you’re getting it seems… :thinking:

It looks like your curl command is correct (based on Authentication | farmOS)…

Go to https://geosrv4/web/admin/reports/dblog and see if there are any relevant errors in the log that offer more details. Sometimes this log will contain more information than what is sent back to the client.

Just to go back and check some other assumptions: when you navigate to https://geosrv4/web/admin/config/services/consumer you see a “Farm default” client with a client_id of farm, correct? Have you made any changes to the configuration of this client?

Hi, yes

I added a screenshot maybe you pick something up I have missed :wink:

Thank you

1 Like

You don’t need to set the redirect for password authentication, but it shouldn’t stop it either.

Are you getting any page when you use your browser to view https://geosrv4/web/oauth/token now? It should return r a client error message when no other parameters are passed?

and anything in the logs? @ https://geosrv4/web/admin/reports/dblog

1 Like

Jip, you are 100% correct
Screenshot 2022-10-05 155210

Thank you

2 Likes

It does look like the farm client has been edited… In a default installation the “Scopes” are empty. Can you paste a full screenshot of the client configuration so we can compare it to the default and see if anything else is different?

Also, the logs will probably be the most useful, if you can paste those:

https://geosrv4/web/admin/reports/dblog

My error when running the python import script

and when i run curl
curl -X POST C:\Users\Administrator\Desktop\farmOsScrips> curl -X POST -d “grant_type=password&username=Testuser&password=Geo@Greenhealth&client_id=farm&scope=farm_manager” https://geosrv4/web/oauth/token

The website encountered an unexpected error. Please try again later.

2 Likes

@silverlynxconsulting OK it sounds like a lot of this is coming down to the interaction between Windows and the OAuth2 libraries that farmOS uses. I’ve never tested these things on Windows myself, so this is the first time we’re thinking about it.

Two choices here: 1) continue down this path to figure out (and document) how to make this work on Windows, or 2) you switch over to Linux (or Docker in WSL on Windows).

Which is perhaps a question for you @silverlynxconsulting: how much do you want to help debug something vs how important is it to just “make it work”? :slight_smile:

2 Likes