Hello, we’re currently trying to setup a Horde server for our team. The Horde server itself is running on a EC2 instance on AWS and we’re running the official Docker image through Docker Compose. We were able to get web portal, UGS, and Unreal Toolbox to connect correctly to https://horde.myurl.com while running in anonymous mode.
However, we’re now having trouble setting up OIDC authentication with Zoho (our current email/account provider). I’ve attached our current server.json configuration. With this setup, we’re able to connect to the web portal and login, and also connect using Unreal Toolbox, but when trying to connect with UGS we get the following error:
[Image Removed]
On the server end, we get this error output:
horde-server-1 | [22:20:46 err] Unhandled exception on /api/v1/tools: IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
horde-server-1 | System.ArgumentException: IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
horde-server-1 | ---> System.Text.Json.JsonReaderException: '0xEF' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.
horde-server-1 | at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
I also noticed when the Horde server is booting up, that we get this warning in the console:
OIDC config mismatch: Command-line auth requires a public OAuth/OIDC client, but a confidential client is configured (OidcClientSecret is set). This will prevent Horde's C# client from signing in and block usage of Unreal Build Accelerator. To fix: Configure your OAuth/OIDC client as public (SPA/mobile/desktop) and remove the client secret
I tried commenting/removing the OidcClientSecret from server.json and this warning did go away, but the behaviour is the exact same and the same IDX12729 error gets output by Horde. Any help in setting this up would be greatly appreciated!
Steps to Reproduce
{
"Horde": {
"AuthMethod": "OpenIdConnect",
"JwtIssuer": "https://accounts.zoho.com",
"OidcAuthority": "https://accounts.zoho.com",
"OidcAudience": "<Client ID from Zoho https://api-console.zoho.com/>",
"OidcClientId": "<Client ID from Zoho https://api-console.zoho.com/>",
"OidcClientSecret": "<Client Secret from Zoho https://api-console.zoho.com/>",
"OidcRequestedScopes": ["openid", "profile", "email"],
"OidcApiRequestedScopes": ["openid", "profile", "email"],
// Debug/logging settings:
"OidcDebugMode": true,
"enableDebugEndpoints": true,
"logSessionRequests": true,
"adminClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"adminClaimValue": "name[Content removed]
"ServerUrl": "https://horde.myurl.com",
"DashboardUrl": "https://horde.myurl.com",
},
"Kestrel": {
"Certificates": {
"Default": {
"Path": "/app/Data/selfsigned.pfx",
"Password": ""
}
}
}
}
Hello, to use the authentication support in Unreal Game Sync you will need to configure your OIDC client as a public client (using PKCE flow without a client secret) instead of a confidential client. This is because these tools use EpicGames.OIDC library which only supports public clients with authorization code flow + PKCE.
Matthew
Hello, on the Zoho side of things have your setup you Zoho app as a public client? It is not just not setting OidcClientSecret in the Horde server, on the Zoho end your Zoho configuration needs to be an OAuth public client as well.
Matthew.
Hi, this error
System.Text.Json.JsonReaderException: ‘0xEF’ is an invalid start of a value is saying the JSON response has a UTF8 BOM, which is invalid. Is there anymore output in the log? I like to see if there is more callstack to help debug. I looks like some response is not returning valid JSON or a non-JSON response, which is causing that error.
Thanks
Matthew
Hi, have you been able to try the grant access for entire session option for a client based app?
From what I understand if we omit `OidcClientSecret` in `server.json` that means we’re configuring the horde server to use a public client correct? When we do that we seem to get a `500` server error with this output:
horde-server-1 | [00:42:53 err] Unhandled exception on /api/v1/tools/ugs-win: IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
horde-server-1 | System.ArgumentException: IDX12729: Unable to decode the header '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.
horde-server-1 | ---> System.Text.Json.JsonReaderException: '0xEF' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0.
horde-server-1 | at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
horde-server-1 | at System.Text.Json.Utf8JsonReader.ConsumeValue(Byte marker)
horde-server-1 | at System.Text.Json.Utf8JsonReader.ReadFirstToken(Byte first)
horde-server-1 | at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
horde-server-1 | at System.Text.Json.Utf8JsonReader.Read()
horde-server-1 | at Microsoft.IdentityModel.Tokens.Json.JsonSerializerPrimitives.IsReaderAtTokenType(Utf8JsonReader& reader, JsonTokenType tokenType, Boolean advanceReader)
horde-server-1 | at System.IdentityModel.Tokens.Jwt.JwtHeader..ctor(String json)
horde-server-1 | at System.IdentityModel.Tokens.Jwt.JwtHeader.Base64UrlDeserialize(String base64UrlEncodedJsonString)
horde-server-1 | at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
horde-server-1 | --- End of inner exception stack trace ---
horde-server-1 | at System.IdentityModel.Tokens.Jwt.JwtSecurityToken.Decode(String[] tokenParts, String rawData)
horde-server-1 | at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ReadJwtToken(String token)
horde-server-1 | at HordeServer.Utilities.JwtUtils.TryParseJwt(String token, JwtSecurityToken& jwtToken) in /app/Source/Programs/Horde/HordeServer/Utilities/JwtUtils.cs:line 64
horde-server-1 | at HordeServer.Authentication.JwtAuthHandler.HandleAuthenticateAsync() in /app/Source/Programs/Horde/HordeServer/Authentication/JwtAuthHandler.cs:line 74
horde-server-1 | at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
horde-server-1 | at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
horde-server-1 | at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
horde-server-1 | at HordeServer.Utilities.TryAuthorizeAttribute.OnAuthorizationAsync(AuthorizationFilterContext context) in /app/Source/Programs/Horde/HordeServer.Shared/Utilities/TryAuthorizeAttribute.cs:line 23
horde-server-1 | at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
horde-server-1 | at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
horde-server-1 | at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
horde-server-1 | at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
horde-server-1 | at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
horde-server-1 | at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
Other endpoints in our server log report the same callstack.
Our OIDC provider does seem to support PKCE https://www.zoho.com/accounts/protocol/oauth/mobile-applications.html. We’re unsure if we’ve done something wrong on the horde setup side or there’s an issue on our OIDC provider side.
When setting up the zoho client we have 4 options. From reading their docs it seems the web server one or the mobile one should support PKCE, but to be exhaustive we tried them all.
[Image Removed]
The one that seemed to work the closest was the `Mobile-based Applications` one. https://www.zoho.com/accounts/protocol/oauth/mobile\-applications.html
To be clear while using the `Mobile-based Applications` client with no `OidcClientSecret` set in `server.json` set we get:
- Horde Website Auth Works
- Hitting horde API in swagger on the web works
- Unreal Toolbox Auth Works
- Unreal Toolbox Fetching Tools doesn’t work (internal server error with same JWT callstack)
- Unreal Game Sync Auth Works
- Unreal Game Sync connecting window doesn’t work (internal server error same JWT callstack)
It seems to get past authentication, but fails after that as far as I can tell.
[Image Removed]
I thought the same thing. Unfortunately there’s nothing else. It’s just that same callstack over and over again when any endpoint is attempted.
For now we’re using `HordeAuth`, but I am tempted to modify the horde server to get some better output. I haven’t looked into deploying a custom version of horde, however.