Logout Error, Access token ID was not provided

MarcRomero · July 8, 2020, 10:03am

Hello,
I’m currently testing stack v3.8.4 on a local computer. I managed to connect a gateway and device. But since the beginning I’m facing an issue with the logout process. When I logout shows a forbbiden 403 error.
token-error

This are my docker-compose-yml and ttn-lw-stack.yml, hope it helps:

version: '3.7'
services:

  cockroach:
    image: cockroachdb/cockroach:latest
    command: start --http-port 26256 --insecure
    restart: unless-stopped
    container_name: cockroach
    volumes:
      - ./data/cockroach:/cockroach/cockroach-data
    ports:
      - "127.0.0.1:26257:26257" # Cockroach
      - "127.0.0.1:26256:26256" # WebUI

  redis:
    image: redis:latest
    command: redis-server --appendonly yes
    restart: unless-stopped
    container_name: redis
    volumes:
      - ./data/redis:/data
    ports:
      - "127.0.0.1:6379:6379"

  stack:
    image: thethingsnetwork/lorawan-stack:latest
    entrypoint: ttn-lw-stack -c /config/ttn-lw-stack.yml
    command: start
    restart: unless-stopped
    container_name: stack
    depends_on:
      - redis
      - cockroach
    volumes:
      - ./blob:/srv/ttn-lorawan/public/blob
      - ./config/stack:/config:ro
      # If using Let's Encrypt:
      - ./acme:/var/lib/acme
    
    ports:
      # If deploying on a public server:
      #- "80:1885"
      #- "443:8885"
      - "1881:1881"
      - "8881:8881"
      - "1882:1882"
      - "8882:8882"
      - "1883:1883"
      - "8883:8883"
      - "1884:1884"
      - "8884:8884"
      - "1885:1885"
      - "8885:8885"
      - "1887:1887"
      - "8887:8887"
      - "1700:1700/udp"
    environment:
      TTN_LW_BLOB_LOCAL_DIRECTORY: /srv/ttn-lorawan/public/blob
      TTN_LW_REDIS_ADDRESS: redis:6379
      TTN_LW_IS_DATABASE_URI: postgres://root@cockroach:26257/ttn_lorawan?sslmode=disable

    # If using (self) signed certificates:
    #secrets:
    #  - cert.pem
    #  - key.pem

# If using (self) signed certificates:
#secrets:
#  cert.pem:
#    file: ./cert.pem
#  key.pem:
#    file: ./key.pem

log:
  level: "debug"

# Redis configuration
redis:
  address: 'redis:6379'

# Identity Server configuration
is:

  # If using CockroachDB
  database-uri: 'postgres://root@cockroach:26257/ttn_lorawan?sslmode=disable'

  # Email configuration for "thethings.example.com"
  email:
    sender-name: 'The Things Stack'
    sender-address: 'noreply@192.168.124.9:1885'
    network:
      name: 'The Things Stack'
      console-url: 'http://192.168.124.9:1885/console'
      identity-server-url: 'http://192.168.124.9:1885/oauth'

  # Web UI configuration for "thethings.example.com":
  oauth:
    ui:
      canonical-url: 'http://192.168.124.9:1885/oauth'
      is:
        base-url: 'http://192.168.124.9:1885/api/v3'

# HTTP server configuration
http:
  cookie:
    # generate 32 bytes (openssl rand -hex 32)
    block-key: '423aa334b3c6ef6ffbc802fdcd9cdd6a1eff1258ee03576630f04738b37f4373'
    # generate 64 bytes (openssl rand -hex 64)
    hash-key: '949f699b8c18b40a06a001d4e0c5710cbe726f587bc5e192bc850fd25d23e27405d92095366b7026db8da524ccad259ebd253e7638eb8f28fcee002b84db4fc9'
  metrics:
    password: 'metrics'               # choose a password
  pprof:
    password: 'pprof'                 # choose a password

# If using (self) signed certificates:
#  tls:
#    source: file
#    root-ca: ./cert.pem
#    certificate: ./cert.pem
#    key: ./key.pem

# Let's encrypt for "thethings.example.com"
tls:
  source: 'acme'
  acme:
    dir: '/var/lib/acme'
    email: 'you@thethings.example.com'
    hosts: ['thethings.example.com']
    default-host: 'thethings.example.com'

# If Gateway Server enabled, defaults for "thethings.example.com":
gs:
  mqtt:
    public-address: '192.168.124.9:1882'
    public-tls-address: '192.168.124.9:8882'
  mqtt-v2:
    public-address: '192.168.124.9:1881'
    public-tls-address: '192.168.124.9:8881'

# If Gateway Configuration Server enabled, defaults for "thethings.example.com":
gcs:
  basic-station:
    default:
      lns-uri: 'wss://192.168.124.9:8887'
  the-things-gateway:
    default:
      mqtt-server: 'mqtts://192.168.124.9:8881'

# Web UI configuration for "thethings.example.com":
console:
  ui:
    canonical-url: 'http://192.168.124.9:1885/console'
    is:
      base-url: 'http://192.168.124.9:1885/api/v3'
    gs:
      base-url: 'http://192.168.124.9:1885/api/v3'
    ns:
      base-url: 'http://192.168.124.9:1885/api/v3'
    as:
      base-url: 'http://192.168.124.9:1885/api/v3'
    js:
      base-url: 'http://192.168.124.9:1885/api/v3'
    qrg:
      base-url: 'http://192.168.124.9:1885/api/v3'
    edtc:
      base-url: 'http://192.168.124.9:1885/api/v3'

  oauth:
    authorize-url: 'http://192.168.124.9:1885/oauth/authorize'
    logout-url: 'http://192.168.124.9:1885/oauth/logout'
    token-url: 'http://192.168.124.9:1885/oauth/token'
    client-id: 'console'
    client-secret: 'SM2CE7335KDAIILCA76KETRHDQTTDAQTDJHBSL6RCOX3WFZFDZ4Q'          # choose or generate a secret

I saw some similar errors on this forum but were at login page with a diferrent message error and were about certificates. So I decide to post my problem. For now I’m working with Automatic Certificate (ACME).

I’m looking for tips to see where is the problem. I find strange I can login but can’t logout.

Thanks,

kschiffer · July 10, 2020, 8:09am

Hello Marc,

That’s an odd issue. Can you verify that in the logout URL (the bit you blurred out in your image) there is a access_token_id query parameter present? And if yes, that it is also not empty?

In case you updated the stack from a previous version, did you run the database migrations?

Regards,
Kevin

MarcRomero · July 10, 2020, 8:33am

Hello,

I just saw what the problem was. When I initialized the docker I did not define the following attributes:

  --logout-redirect-uri "https://thethings.example.com/console" \
  --logout-redirect-uri "/console" \

Once I ran the command the problem was fixed:

$ docker-compose run --rm stack is-db create-oauth-client \
  --id console \
  --name "Console" \
  --owner admin \
  --secret the secret you generated before \
  --redirect-uri "https://thethings.example.com/console/oauth/callback" \
  --redirect-uri "/console/oauth/callback" \
  --logout-redirect-uri "https://thethings.example.com/console" \
  --logout-redirect-uri "/console" \

I think when I set up the docker I followed an outdated guide.

Thanks for the reply,

system · August 7, 2020, 10:03am

This topic was automatically closed after 30 days. New replies are no longer allowed.