Login-error "Parameter issuer is invalid: http://myserverurl/sphinx"

Smet_Filip · October 22, 2022, 11:04am

I have en Ubuntu-server 20.04 with Apache, https enabled.

I tried to implement the example from the Quickstart documentation of Sphinx.

Everything goes well, including the step "https://myserverurl/sphinx/oauth/authorize/?client_id=desktop&response_type=code&scope=openid&redirect_uri=http://127.0.0.1".

The problem arises when running thv VCL desktop application from the next step in the documentation.
Pressing the login-button instantly gives the following error:

"Parameter issuer is invalid: http://myserverurl/sphinx"

I'm really stuck here...

Smet_Filip · October 22, 2022, 4:27pm

Update:

I opened ports 8010 - 8020 in ubuntu with "ufw allow 8010:8020/tcp"
I also opened those ports on my router.

When i now run the desktop-app with the Authority-property of the SphinxLogin-component set to "http://myserverurl/sphinx" it still does not work.

When I change this property by replacing "myserverurl" to the internal ip-address of the server, it works perfectly.

What am I missing? What should I do?

wlandgraf · October 24, 2022, 10:56pm

Your Sphinx server must make sure that the token issuer is present and correct in the JWT generated by it.

The issuer is provided in the iss claim (ref 4.1.1: RFC 7519: JSON Web Token (JWT)).

TMS Sphinx tries to do that for you by default. It already includes the iss claim in JWT, and the value is the original URL the client requested, without the relative path segments.

Client-side, the issuer must be exactly the same as the authority. So, if you have configured your SphinxLogin1.Authority property to be http://myserverurl/sphinx, then the iss claim in JWT must be the same.

Something is mixing up here. While you can manually set an issuer value yourself in server, it usually should not be needed.

To clarify what's going on, can you please:

Provide the JSON result you get from the URL http://myserverurl/sphinx/.well-known/openid-configuration.
Provide the value of the Authority property you are setting in the TSphinxLogin component?
Provide the value of the BaseUrl property you are setting in the TSphinxServe component?
Are your Apache/network configuration that is out of Sphinx scope doing some kind of redirection (http/https, port, etc.)?

Uijlenhoet_Jacco · December 1, 2023, 10:15am

Hi Wagner,

I am having the same issue. I have an apache module with a sphinx server embedded. The Apache server redirects all http to https. The authorization endpoint is on: https//:/sphinx/auth, this is set on the Authority property in TSphinxLogin component. The baseurl value of the TSphinxServer component is https//:/sphinx/auth. So I think it has to do with the redirection of the http to https configuration in apache.

wlandgraf · December 1, 2023, 10:20am

Probably.
You have to make sure that Sphinx is aware of the correct URLs.
Either your redirect should set the proper forward headers (and then you use the forward middleware), or some other reviewing is need so that there isn't a mismatch between the URL your client invokes, the URL the server responds and the URL of the issuer in the JWT.

Uijlenhoet_Jacco · December 1, 2023, 1:25pm

I made a quick change to my server code to check: I added Args.Token.Claims.AddOrSet('iss', 'https://myserver/sphinx/auth'); to the OnConfigureToken event, but that doesn't solve the problem. Maybe I should search in the Apache configuration to solve this issue.