Horde Autentication

Development Pipeline & Plugins
, ,
1

Hello,

I have configured Horde Authentication with our identity providers.

Everything is working great but when starting a remote compilation the authentication process redirect me to http://localhost:8749/ugs.client.

I see that there is configuration to change this uri for the horde server and change it with the following:

“oidcLocalRedirectUrls”: [“https://my-redirect/signin-oidc”]

but it still redirecting me to http://localhost:8749/ugs.client

Any idea on what I need to change ?

Thanks.

2

Hey there,

Can you provide your log for the server?

To clarify some details:

  • Since this is a server.json setting you’ll need to perform a full restart of the server.
  • > When starting a remote compilation…
    • Are you referring to a local user initiating a UBA build? Or is this a build farm agent issuing a UBA build
  • Just looking internally, I see we are using http://localhost:8749/ugs.client
    • It’s also worth noting oidc-configuration.json is used for configuration building, so I am curious whether this is a related source.
    • The comments also do assert that this is typically a local hosted server which appears to be started via “Default value is the local web server started during signin by EpicGames.OIDC library”
    • I wonder if you should be setting OidcSigninRedirect instead?

Kind regards,

Julian

3

Hi Julian,

Attached the log from the horde server

  • > Since this is a server.json setting you’ll need to perform a full restart of the server.

---> Yes server has been restarted

  • > When starting a remote compilation… >Are you referring to a local user initiating a UBA build? Or is this a build farm agent issuing a UBA build

---> A local user initiating a UBA build

  • It’s also worth noting oidc-configuration.json is used for configuration building, so I am curious whether this is a related source.

---> Where the oidc-configuration.json is located ?

  • The comments also do assert that this is typically a local hosted server which appears to be started via “Default value is the local web server started during signin by EpicGames.OIDC library”

---> I was under the impression that we could override and use the redirect uri authorize by our identity provider

  • I wonder if you should be setting OidcSigninRedirectinstead?

---> Tried it same issue :frowning:

4

Heya,

I think I know what’s going on here. IIRC, this is an issue with how the configuration system is handling arrays. What’s happening here is that the array is being appended to, instead of completely replaced. In the interim you’ll need to update this in HordeHTTPAuthHandler.cs

async Task<AuthState> GetAuthStateInternalAsync(bool interactive, CancellationToken cancellationToken) { // ... //string? localRedirectUrl = authConfig.LocalRedirectUrls?.FirstOrDefault(); string? localRedirectUrl = authConfig.LocalRedirectUrls?.:LastOrDefault(); // ... }I was able to validate this on my own end by attaching a debugger to the server, and stepping through the GetAuthConfig endpoint. I vaguely remember an internal ticket about this; I’ll see if I can pull it up.

Edit: Microsoft github thread about this

Kind regards,

Julian

5

Hi Julian,

Thank you for your finding.

Do you know if this issue will be addressed an upcoming release ?

Victor

6

This redirect to a “local server” is part of OIDC’s authentication flow for standalone apps. This includes UBA and UGS.

You need to configure the OIDC IdP to accept this as a valid redirection. This is not a security risk, and is working-as-designed.

7

Thanks Yang - this is a great comment and certainly informs even myself on this!

> Do you know if this issue will be addressed an upcoming release ?

  • For the more general fix on this issue, I’m not sure when it would be scheduled.
8

Hi Yang,

Thanks for your reply.

What is the use case to make oidcLocalRedirectUrls configurable ?

I configure my IdP to accept http://localhost:8749/ugs.client and I am still having issue with the authentication when a user initiates a UBA build.

I have the follwing error: Unable to create Horde session: Failed to login due to error: Error redeeming code: invalid_client / Invalid client and it open a web page with an error(attachement)

I have set up the `oidcClientId` in the server.json with the one define in my IdP. Also, the authentication is working fine when I am connecting to the Horde web site. It is only having issue when I initiate a build

9

OIDC auth for standalone apps may require special configuration in the IdP beyond allowlisting the redirect URL. For example, Azure gave a lot of people problems, and there are now specific mitigations in 5.6.0