OAuth2 - Mattermost - InternalOAuthError: Failed to obtain access token

My version of HedgeDoc is: 1.10.0

Environment variables

CMD_OAUTH2_BASEURL=https://mattermost.my.domain
CMD_OAUTH2_USER_PROFILE_URL=https://mattermost.my.domain/api/v4/users/me
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=id
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=username
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_TOKEN_URL=https://mattermost.my.domain/oauth/access_token
CMD_OAUTH2_AUTHORIZATION_URL=https://mattermost.my.domain/oauth/authorize
CMD_OAUTH2_CLIENT_ID=i4xxxxxxxxxxxxxxxxxxxxxxxx
CMD_OAUTH2_CLIENT_SECRET=btyyyyyyyyyyyyyyyyyyyyyyyy

What I expected to happen
Logged in as the user from the OAuth-flow

What actually happened

  1. I’m logged in at my Mattermost instance.

  2. On my Hedgedoc instance I click “Sign in → Sign in via OAuth2”. Then the following is happening in the browser.

    302 GET
    https://hedgedoc.my.domain/auth/oauth2

    302 GET
    https://mattermost.my.domain/oauth/authorize?response_type=code&redirect_uri=https://hedgedoc.my.domain/auth/oauth2/callback&state=o5v9AzPKGdHIHjGqaPiMRNEI&client_id=<valid-client-id>

    500 GET
    https://hedgedoc.my.domain/auth/oauth2/callback?code=rw6ah3bqrtrwif38xdkao1moxanr6654q3cbfsjysenytqqce3oe&state=o5v9AzPKGdHIHjGqaPiMRNEI

The logs are saying

InternalOAuthError: Failed to obtain access token
    at OAuth2Strategy._createOAuthError (/hedgedoc/node_modules/passport-oauth2/lib/strategy.js:423:17)
    at /hedgedoc/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:196:18
    at passBackControl (/hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:531:35)
    at endReadableNT (node:internal/streams/readable:1696:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
2025-01-12T22:22:53.932Z info:  162.158.94.158 - - [12/Jan/2025:22:22:53 +0000] "GET /auth/oauth2/callback?code=rw6ah3bqrtrwif38xdkao1moxanr6654q3cbfsjysenytqqce3oe&state=o5v9AzPKGdHIHjGqaPiMRNEI HTTP/1.0" 500 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"

I already tried

  • I can curl the url’s from the Hedgedoc instance.
  • The certificates are valid “Lets Encrypt” via Certbot.
  • Both sites (Mattermost and Hedgedoc) are running as docker containers with nginx as reverse proxy.

Thanks in advance!

SOLVED!

It was a Cloudflare WAF rule that caused the problem. Not Hedgedoc or Mattermost.

2 Likes

Hi @ollejacobsen,

great you figured that out. I tried to reproduce some of the OAuth2 errors I have seen here in the forum and on GitHub, but wasn’t able to get the same errors. As our focus is currently on getting 2.0 ready for release, we hadn’t the time to dig further into the OAuth2 situation in the old codebase.

Regarding Cloudflare, we already have a warning about their “page compression” feature which breaks HedgeDoc, but I’ll add a note about the WAF there too.