JSON::JWS::UnexpectedAlgorithm (no implicit conversion of OpenSSL::PKey::RSA into String)
I've upgraded my Gitlab instance (docker Omnibus) to 13.12 and when I try to login using OpenID, I got this error at callback stage.
The following error is from /var/log/gitlab/gitlab-rails/production.log
Started GET "/users/auth/openid_connect/callback?state=287351e23ed36e0cfd4a77d43d035503&code=[FILTERED]" for 172.17.0.1 at 2021-05-25 13:57:41 +0000
JSON::JWS::UnexpectedAlgorithm (no implicit conversion of OpenSSL::PKey::RSA into String):
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/transaction.rb:56:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/multipart.rb:172:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:76:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'My omniauth setting is:
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'openid_connect',
'label' => 'OpenID',
'icon' => 'https://xxxxxxxx/openid_64.png',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','fullname','nickname','email'],
'uid_field' => 'nickname',
'response_type' => 'code',
'issuer' => 'https://xxx.com/connect',
'discovery' => true,
'client_auth_method' => 'basic',
'send_scope_to_token_endpoint' => 'false',
'client_options' => {
'identifier' => 'xxxxxxxxx',
'secret' => 'xxxxxxxxx',
'redirect_uri' => 'http://gitlab_domain/users/auth/openid_connect/callback'
}
}
}
]And the client option on auth providers site is:
{
"userinfo_endpoint": "https://xxxx.com/connect/userinfo",
"jwks_uri": "https://xxxx.com/connect/jwks",
"subject_types_supported": ["public"],
"token_endpoint": "https://xxxx.com/connect/token",
"id_token_signing_alg_values_supported": ["HS256", "RS256"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
"response_types_supported": ["code", "id_token", "id_token token"],
"end_session_endpoint": "https://xxxx.com/connect/logout",
"authorization_endpoint": "https://xxxx.com/connect/authorize",
"issuer": "https://xxxx.com/connect"
}By the way, when I use Gitlab 13.8 and manually downgrade omniauth_openid_connect to 0.3.3, it works. So I think it's not a problem from the auth provider or the omnibus config, but a problem from this fork.
Edited by haogeek