OAuth2 - Mattermost - InternalOAuthError: Failed to obtain access token

ollejacobsen · January 12, 2025, 10:30pm

My version of HedgeDoc is: 1.10.0

Environment variables

CMD_OAUTH2_BASEURL=https://mattermost.my.domain
CMD_OAUTH2_USER_PROFILE_URL=https://mattermost.my.domain/api/v4/users/me
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=id
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=username
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_TOKEN_URL=https://mattermost.my.domain/oauth/access_token
CMD_OAUTH2_AUTHORIZATION_URL=https://mattermost.my.domain/oauth/authorize
CMD_OAUTH2_CLIENT_ID=i4xxxxxxxxxxxxxxxxxxxxxxxx
CMD_OAUTH2_CLIENT_SECRET=btyyyyyyyyyyyyyyyyyyyyyyyy

What I expected to happen
Logged in as the user from the OAuth-flow

What actually happened

I’m logged in at my Mattermost instance.
On my Hedgedoc instance I click “Sign in → Sign in via OAuth2”. Then the following is happening in the browser.

302 GET
https://hedgedoc.my.domain/auth/oauth2

302 GET
https://mattermost.my.domain/oauth/authorize?response_type=code&redirect_uri=https://hedgedoc.my.domain/auth/oauth2/callback&state=o5v9AzPKGdHIHjGqaPiMRNEI&client_id=<valid-client-id>

500 GET
https://hedgedoc.my.domain/auth/oauth2/callback?code=rw6ah3bqrtrwif38xdkao1moxanr6654q3cbfsjysenytqqce3oe&state=o5v9AzPKGdHIHjGqaPiMRNEI

The logs are saying

InternalOAuthError: Failed to obtain access token
    at OAuth2Strategy._createOAuthError (/hedgedoc/node_modules/passport-oauth2/lib/strategy.js:423:17)
    at /hedgedoc/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:196:18
    at passBackControl (/hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/hedgedoc/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:531:35)
    at endReadableNT (node:internal/streams/readable:1696:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
2025-01-12T22:22:53.932Z info:  162.158.94.158 - - [12/Jan/2025:22:22:53 +0000] "GET /auth/oauth2/callback?code=rw6ah3bqrtrwif38xdkao1moxanr6654q3cbfsjysenytqqce3oe&state=o5v9AzPKGdHIHjGqaPiMRNEI HTTP/1.0" 500 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"

I already tried

I can curl the url’s from the Hedgedoc instance.
The certificates are valid “Lets Encrypt” via Certbot.
Both sites (Mattermost and Hedgedoc) are running as docker containers with nginx as reverse proxy.

Thanks in advance!

ollejacobsen · January 16, 2025, 8:24am

SOLVED!

It was a Cloudflare WAF rule that caused the problem. Not Hedgedoc or Mattermost.