OIDC login broken "TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'"

[bgruening]

I'm not sure this is a Galaxy problem yet, but I thought I put this out while we are debugging it. It broke in the last days which is suspicious. It seems to only effect the ELIXIR OIDC on EU.

Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]: galaxy.authnz.managers ERROR 2024-09-16 09:47:18,442 [pN:main.3,p:2230442,tN:WSGI_0] An error occurred when authenticating a user on `elixir` identity provider
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]: Traceback (most recent call last):
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/server/lib/galaxy/authnz/managers.py", line 401, in authenticate
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     backend.authenticate(trans),
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/server/lib/galaxy/authnz/psa_authnz.py", line 213, in authenticate
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     return do_auth(backend)
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:            ^^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/actions.py", line 34, in do_auth
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     return backend.start()
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:            ^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/backends/base.py", line 36, in start
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     return self.strategy.redirect(self.auth_url())
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:                                   ^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/backends/oauth.py", line 353, in auth_url
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     params = self.auth_params(state)
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:              ^^^^^^^^^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 132, in auth_params
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     params["nonce"] = self.get_and_store_nonce(self.authorization_url(), state)
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:                                                ^^^^^^^^^^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 73, in authorization_url
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     ) or self.oidc_config().get("authorization_endpoint")
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:          ^^^^^^^^^^^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/utils.py", line 308, in wrapped
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     cached_value = fn(this)
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:                    ^^^^^^^^
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:   File "/opt/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 114, in oidc_config
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:     return self.get_json(self.oidc_endpoint() + "/.well-known/openid-configuration")
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]:                          ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sep 16 09:47:18 sn06.galaxyproject.eu gunicorn[2182875]: TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

[mvdbeek]

#18670 was merged into 24.1 (which it shouldn't have been). Try reverting that ?

[bgruening]

Outch I see. I could rule out that social-auth was updated. This looks like a very good candidate. I will patch it locally and report back. Thanks.

[Edmontosaurus]

Ouch indeed. I'm sorry to see that my pull-request has broken something. I checked on our Galaxy instance and can reproduce the same error when I omit the "<oidc_endpoint>" element in the oidc_backends_config.xml file when configuring a oidc login provider as described here:

galaxy/lib/galaxy/config/sample/oidc_backends_config.xml.sample

Line 211 in 310cbd9

<oidc_endpoint> ... </oidc_endpoint>

The error occurs when clicking the sign-in button.

@bgruening can you maybe share what your oidc_backends_config.xml looks like?

[bgruening]

Sure, this is my config, that worked until a few days ago.

<OIDC>
    <provider name="Elixir">
        <client_id>foo</client_id>
        <client_secret>bar</client_secret>
        <redirect_uri>https://usegalaxy.eu/authnz/elixir/callback</redirect_uri>
        <prompt>consent</prompt>
        <icon>https://lifescience-ri.eu/fileadmin/lifescience-ri/media/Images/button-login-small.png</icon>
        <!-- (Optional) Extra scopes you need to request for your implementation -->
        <!-- <extra_scopes>offline_access,something-else</extra_scopes> -->
    </provider>
    <provider name="Keycloak">
        <url>https://auth.nfdi4plants.org/realms/dataplant</url>
        <client_id>usegalaxy.eu</client_id>
        <client_secret>fooo</client_secret>
        <well_known_oidc_config_uri>https://auth.nfdi4plants.org/realms/dataplant/.well-known/openid-configuration</well_known_oidc_config_uri>
        <redirect_uri>https://usegalaxy.eu/authnz/keycloak/callback</redirect_uri>
        <prompt>consent</prompt>
        <icon>https://galaxyproject.eu/assets/media/DataPLANT_logo.png</icon>
    </provider>
    <!-- Documentation: https://docs.egi.eu/providers/check-in/sp -->
    <provider name="egi_checkin">
       <!-- Client id and secret can be obtained by registering your client at EGI Check-in
            Federation Registry: https://aai.egi.eu/federation -->
        <client_id>fooo</client_id>
        <client_secret>bar</client_secret>
        <redirect_uri>https://usegalaxy.eu/authnz/egi_checkin/callback</redirect_uri>
        <icon>https://im.egi.eu/im-dashboard/static/images/egicheckin.png</icon>
        <prompt>consent</prompt>
        <!-- (Optional) Which Check-in environment to use (prod, demo, dev), default is prod -->
        <!-- <checkin_env>dev</checkin_env> -->
    </provider>
</OIDC>

[bgruening]

Fixed in #18818

[nuwang]

Sorry about this, should have got merged into dev in retrospect.

[Edmontosaurus]

Sure, this is my config, that worked until a few days ago.

<OIDC>
    <provider name="Elixir">
        <client_id>foo</client_id>
        <client_secret>bar</client_secret>
        <redirect_uri>https://usegalaxy.eu/authnz/elixir/callback</redirect_uri>
        <prompt>consent</prompt>
        <icon>https://lifescience-ri.eu/fileadmin/lifescience-ri/media/Images/button-login-small.png</icon>
        <!-- (Optional) Extra scopes you need to request for your implementation -->
        <!-- <extra_scopes>offline_access,something-else</extra_scopes> -->
    </provider>
    <provider name="Keycloak">
        <url>https://auth.nfdi4plants.org/realms/dataplant</url>
        <client_id>usegalaxy.eu</client_id>
        <client_secret>fooo</client_secret>
        <well_known_oidc_config_uri>https://auth.nfdi4plants.org/realms/dataplant/.well-known/openid-configuration</well_known_oidc_config_uri>
        <redirect_uri>https://usegalaxy.eu/authnz/keycloak/callback</redirect_uri>
        <prompt>consent</prompt>
        <icon>https://galaxyproject.eu/assets/media/DataPLANT_logo.png</icon>
    </provider>
    <!-- Documentation: https://docs.egi.eu/providers/check-in/sp -->
    <provider name="egi_checkin">
       <!-- Client id and secret can be obtained by registering your client at EGI Check-in
            Federation Registry: https://aai.egi.eu/federation -->
        <client_id>fooo</client_id>
        <client_secret>bar</client_secret>
        <redirect_uri>https://usegalaxy.eu/authnz/egi_checkin/callback</redirect_uri>
        <icon>https://im.egi.eu/im-dashboard/static/images/egicheckin.png</icon>
        <prompt>consent</prompt>
        <!-- (Optional) Which Check-in environment to use (prod, demo, dev), default is prod -->
        <!-- <checkin_env>dev</checkin_env> -->
    </provider>
</OIDC>

For what it's worth, I did some digging to figure out what exactly went wrong here. The short version is, I learned that some backends, like elixir, have a hard-coded OIDC_ENDPOINT that got overwritten with a None value because of the way I coded #18670

As a side note, I also found it interesting how some backends seem to prevent this problem by overriding this inherited function. But luckily you guys have already fixed it in #18818 Anyhow, I'll promise to be more careful with my next pull-request! 😇

[bgruening]

Thanks @Edmontosaurus for looking into it!