Debugging failed OIDC Portal logins

UCS - Univention Corporate Server
,
#1

Scenario

You activated OIDC for the UMC according to the documentation.

Logs

Find the UMC logs in /var/log/univention/management-console-server.log
To increase the Log-Level you can use the UCR variable umc/server/debug/level and restart the service:

ucr set umc/server/debug/level=4
systemctl restart univention-management-console-server

Do not forget to decrease the log level after your analysis.

Invest

Start to search for ERROR in the log:
grep ERROR /var/log/univention/management-console-server.log

The message 503 GET /univention/oidc/?state= is the normal log entry for not successfull GET calls.
The line above should show the cause.

  • ( ERROR ) : Could not get access token: b'{"error":"invalid_grant","error_description":"Code not valid"}' (HTTP 400: Bad Request)

That message indicates, that the identity provider has a problem and the UMC can’t get the token. Ypu should have a look to the IDP logs.

  • ( ERROR ) : Could not get access token: None (HTTP 599: Failed sending HTTP POST request) (HTTPResponse(_body=None,_error_is_response_code=False,buffer=None,code=599,effective_ url='https://id.app.dap.dphoenixsuite.de/auth/realms/dap/protocol/openid-connect/token',error=HTTP 599: Failed sending HTTP POST request,headers=

This indicates a problem on the sending umc. Have a look at all open connections like watch ss -s. If you have a very high number think about increasing the following values: ucr set security/limits/user/root/hard/nofile=200000 && ucr set security/limits/user/root/soft/nofile=200000 && ucr set security/limits/user/root/hard/nproc=200000 && ucr set security/limits/user/root/soft/nproc=200000 && systemctl restart univention-management-console-server. Also LimitNOFILE value for the UMC service can be increased. sed -i 's/64512/120000/' /etc/systemd/system/multi-user.target.wants/univention-management-console-server.service && systemctl daemon-reload && systemctl restart univention-management-console-server

  • ( ERROR ) : Could not get access token: None (HTTP 599: Operation timed out after 20000 milliseconds with 0 bytes received)

This indicates a problem with the IDP which does not answer the request from UMC. Please invest in the logs from the Keycloak.

Mastodon