OAuth/OIDC errors with qbo3

Question

My company has configured Ping Identity server with OIDC to connect to a qbo3 installation.

When my users log in, there are four classes of errors they encounter:

Error 1:

"Message contains error: 'server_error', error_description: 'error_description is null', error_uri: 'error_uri is null"

Error 2:

Message contains error: 'access_denied', error_description: 'Unauthorized Access', error_uri: 'error_uri is null'.

Error 3:

Unable to unprotect the message.State

Error 4:

This user has no universal access roles nor organizational access configured.

How do I resolve these SSO errors?

Answer 1

Error 1

The first error is an issue with your OIDC (Ping) configuration, outside the control of qbo3. Specifically:

"Message contains error: 'server_error', error_description: 'error_description is null', error_uri: 'error_uri is null"

This implies:

• qbo3 successful routed the user to the Ping endpoint with a correct ClientId and ReturnUrl
• the user successfully logged into Ping SSO
• Ping SSO encountered an error after the user logged in
• Ping SSO followed the OIDC protocols, and told qbo3 that there was an error after the user logged in.

In this case, unfortunately there is no useful detail about the error. The next troubleshooting step would be to investigate your Ping logs.

Error 2

Message contains error: 'access_denied', error_description: 'Unauthorized Access', error_uri: 'error_uri is null'.

This error is straight forward. The user successfully logged into Ping SSO, but Ping SSO has not been configured to allow the user access to the qbo3 application.

This can be resolved by modifying the Ping configuration to grant the user access to the qbo3 ClientId.

Error 3:

Unable to unprotect the message.State

This typically occurs in a server farm, where the series of OIDC/Oauth calls bounce between servers. The root cause is a token is encrypted by ServerA, and cannot be properly decrypted by ServerB. There are two solutions to this issue:

• Use an encryption technique based on a certificate shared by all servers in the server farm. See Microsoft's ASPNET Core Data Protection documentation.
• Modify the load balancer routing traffic to the server farm to use sticky sessions. AWS and Azure support this out of the box.

Error 4

This user has no universal access roles nor organizational access configured.

This means the user is valid, but is not a member of any qbo3 universal access roles or organizations, such that they will not have access to any records in the system. In short, the user's configuration in qbo3 is incomplete!

More precisely:

• qbo3 successful routed the user to the Ping endpoint with a correct ClientId and ReturnUrl
• the user successfully logged into Ping SSO
• Ping told qbo3 the user is authorized, and provided some claims about the user
• qbo3 ensures the user exists, but did not find any claims that map to QBO roles or organization.

There are 2 ways to address this issue:

Resolution 1: in qbo3, manually add the user to a Role that has universal access, and/or grant the user access to one or more Organizations to enable qbo3 to determine what data the user should have access to. This is a manual effort, thus not as good as resolution 2 below.

Resolution 2:

• in Ping, ensure the user has claims that enable qbo3 to determine which Roles and/or Organizations should be a member of.
• in qbo3:
  • create Subscription rows on the SystemRole table for each claim value that represents a role
  • create Subscription rows on the Organization table for each claim value that represents access to an Organization
  • create a Person statement to be used by SSO to create SystemMember or PersonAccess rows based on user claims.

More explicit details on the qbo3 steps can be found in Quandis' SSO documentation.