Cannot authorize OAuth zoom plugin: invalid state, 500 internal server error

[vmakarenko]

I'm trying to set up mattermost-plugin-zoom 1.4.1 (OAuth) according to manual
https://mattermost.gitbook.io/plugin-zoom/installation/zoom-configuration/zoom-setup-oauth

I stuck on activation stage, Install your app->Activate throws
browser:

invalid state
500 internal server error

mattermost.log:

{"level":"info","ts":1596120717.8517437,"caller":"go-plugin@v1.2.2/stream.go:15","msg":"2020/07/30 16:51:57 stateComponents: [], state:","plugin_id":"zoom","source":"plugin_stderr"}
{"level":"error","ts":1596120717.857073,"caller":"mlog/log.go:175","msg":"Plugin failed to ServeHTTP, RPC call failed","plugin_id":"zoom","error":"unexpected EOF"}
{"level":"error","ts":1596120717.857321,"caller":"http/server.go:3059","msg":"http: superfluous response.WriteHeader call from github.com/mattermost/mattermost-server/v5/plugin.(*hooksRPCClient).ServeHTTP (client_rpc.go:336)","source":"httpserver"}
{"level":"error","ts":1596120728.2407198,"caller":"plugin/health_check.go:59","msg":"Health check failed for plugin","id":"zoom","error":"Plugin RPC connection is not responding"}
{"level":"warn","ts":1596120728.2415211,"caller":"plugin/hclog_adapter.go:69","msg":"error closing client during Kill","plugin_id":"zoom","wrapped_extras":"errconnection is shut down"}
{"level":"warn","ts":1596120728.2417154,"caller":"plugin/hclog_adapter.go:71","msg":"plugin failed to exit gracefully","plugin_id":"zoom"}

Mattermost Version: 5.24.2
Database Schema Version: 5.24.0

[larkox]

That is weird. There is a bug in the code that that particular path may lead to plugin termination. Nevertheless, the path it is taking should happen only if the OAuth flow finishes with an "empty state".

The state is sent into the flow, and the same values should return when the OAuth flow is finished. No idea how this might be happening on your side.

[larkox]

@vmakarenko are you still seeing this? Are you seeing any other weird behaviour that may lead to this?

[vmakarenko]

We will retry to setup up to https://mattermost.gitbook.io/plugin-zoom/installation/zoom-configuration/zoom-setup-oauth, again - probably some settings were wrong... I let you know, thank you!

[vmakarenko]

We tried again. Authorize plugin -> Error 500. mattermost.log:

{"level":"error","ts":1597935595.674938,"caller":"mlog/log.go:175","msg":"Invalid or missing user_id parameter in request URL.","path":"/api/v4/users/zoom","request_id":"aaa1is3bdpygfqwjjpoep7sayh","ip_addr":"188.192.118.178","user_id":"gprzfjykw7bk9fxfj57cqjgx7w","method":"GET","err_where":"Context","http_code":400,"err_details":""}
{"level":"warn","ts":1597941335.6364105,"caller":"app/post_metadata.go:489","msg":"Failed to write link metadata","request_url":"","error":"LinkMetadata.IsValid: Link metadata URL must be set., "}

Moreover, where is the ** Enable Password based authentication** feature located? It is mentioned in https://mattermost.gitbook.io/plugin-zoom/installation/mattermost-setup and cannot be found in mattermost (5.24.2) and zoom-plugin (1.4.1) settings.

[larkox]

Regarding the "Enable Password based authentication", it was removed on 1.4.1. The same effect is by setting "Enable OAuth" to false.

Regarding your problem, can you confirm when you are seeing this error? Are the steps the following?

1. Configure the plugin both on Zoom side and Mattermost side
2. In mattermost, write /zoom start or click on the zoom icon on the top right
3. Click on the link you receive to connect your account
4. Introduce your Zoom credentials
5. 500 error happens.

Is this the flow you are seeing?

If you want you can contact me on Mattermost Community (my username is @daniel.espino.garcia).

[larkox]

@vmakarenko Do you need any more help with this?

[vmakarenko]

@larkox Hi Daniel, sorry for delay. We still need help with the problem. Let me contact you next week? Thank you already!

[jprusch]

We see the same behavior when clicking the install button when setting up the Zoom part.
I switched on debug logging in Mattermost to retrieve some more info:
zoom_log.txt

• Zoom calls can be created with /zoom start or the button
• Authentication of a single user works
• Webhook for end of a meeting works

We still get:

2020-10-09T13:49:12.579+0200 warn mlog/sugar.go:27 Could not verify webhook secreet {"plugin_id": "zoom"}

in our logs.
I'm not sure, if this is a real issue as everything seems to work, still the error messages are misleading/annoying.

Mattermost 5.27.0
Zoom 1.4.1

Regards
JP

[larkox]

@jprusch Regarding the logs, can you give me more information on how that happens? I know why the panic happens, but that state should never be reached. Do you have any "complex" backend configuration (cluster, db read replicas...)?

Regarding the second error, is there any chance you have more than one webhook configured for this app? If webhooks are working fine, but you are seeing that error, the only thing that comes to my mind is that there is another misconfigured webhook.

[vmakarenko]

@larkox: I tried again with OAuth according to https://mattermost.gitbook.io/plugin-zoom/installation/zoom-configuration/zoom-setup-oauth. Same result:

http response:

invalid state
500 internal server error

mattermost.log:

{"level":"info","ts":1602868645.879232,"caller":"go-plugin@v1.2.2/stream.go:15","msg":"2020/10/16 19:17:25 stateComponents: [], state:","plugin_id":"zoom","source":"plugin_stderr"}
{"level":"error","ts":1602868645.8853958,"caller":"mlog/log.go:175","msg":"Plugin failed to ServeHTTP, RPC call failed","plugin_id":"zoom","error":"unexpected EOF"}
{"level":"error","ts":1602868645.8855925,"caller":"http/server.go:3059","msg":"http: superfluous response.WriteHeader call from github.com/mattermost/mattermost-server/v5/plugin.(*hooksRPCClient).ServeHTTP (client_rpc.go:336)","source":"httpserver"}

It would be highly wanted to understand what went wrong.
Our setup: nginx + not dockerized instance of mattermost (5.24.0). Probably the problem is the lost HTTP headers by proxying or something similar? We can also ask for support by mattermost, we have an E10 license.

[jprusch]

@jprusch Regarding the logs, can you give me more information on how that happens? I know why the panic happens, but that state should never be reached. Do you have any "complex" backend configuration (cluster, db read replicas...)?

Regarding the second error, is there any chance you have more than one webhook configured for this app? If webhooks are working fine, but you are seeing that error, the only thing that comes to my mind is that there is another misconfigured webhook.

Sorry for the late answer: We use a standard Mattermost standalone enterprise installation with a default MySQL backend. No clustering , no read replicas. Nginx is used as a reverse proxy with standard configuration.

[larkox]

@vmakarenko Thank you for your patience. Somehow I missed your message. The state should come in the oauth query string. Something like this:
https://www.yourinstance.com/plugins/zoom/oauthcomplete?code="really long gibberish"&state="shorter gibberish"
Could you check if the URL looks like that? If it is not, there might be a problem with the proxy.

[larkox]

@jprusch Can you also check my previous message and see if you are having a similar issue?

[jprusch]

@larkox Back from some days off.... After restart & checking config the issue cannot be reproduced anymore. Meetings can be started from MM. Ending the meeting sends a message to the channel.
Thx.

[vmakarenko]

mattermost.log

level":"error","ts":1604326401.662806,"caller":"mlog/log.go:175","msg":"Plugin failed to ServeHTTP, RPC call failed","plugin_id":"zoom","error":"unexpected EOF"}         
{"level":"error","ts":1604326401.663641,"caller":"http/server.go:3088","msg":"http: superfluous response.WriteHeader call from github.com/mattermost/mattermost-server/v5/plugin.(*hooksRPCClient).ServeHTTP (client_rpc.go:336)","source":"httpserver"}
{"level":"error","ts":1604326416.708358,"caller":"plugin/health_check.go:59","msg":"Health check failed for plugin","id":"zoom","error":"Plugin RPC connection is not responding"}
{"level":"warn","ts":1604326416.7084563,"caller":"plugin/hclog_adapter.go:69","msg":"error closing client during Kill","plugin_id":"zoom","wrapped_extras":"errconnection is shut down"}
{"level":"warn","ts":1604326416.7085316,"caller":"plugin/hclog_adapter.go:71","msg":"plugin failed to exit gracefully","plugin_id":"zoom"}

access.log:

130.183.252.19 - - [02/Nov/2020:15:13:21 +0100] "GET /plugins/zoom/oauth2/complete?code=A2laLBl1O2_UPJQfb9MSrCLfeP6bOFfKA HTTP/2.0" 400 40 "https://zoom.us/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
130.183.252.19 - - [02/Nov/2020:15:13:21 +0100] "GET /favicon.ico HTTP/2.0" 200 1356 "https://qa-minervamessenger.mpdl.mpg.de/plugins/zoom/oauth2/complete?code=A2laLBl1O2_UPJQfb9MSrCLfeP6bOFfKA" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"

[larkox]

@vmakarenko This is puzzling me. You are using v1.4.1, right? The only instance I have seen this happening is when you use the "Install" button on the Zoom website (since that button does not go through Mattermost and therefore does not set the state). If you are following the link in mattermost and not the Install button on the Zoom website, I still don't know how this can happen.

Another thing to check is the Zoom URL you get when the oauth process start (i.e. the site where you enter your zoom credentials). That URL should also hold the state.

[vmakarenko]

Hi Daniel, may I invite you as guest to our mattermost instance? https://community.mattermost.com/core/messages/@daniel.espino.garcia is closed due to exceeded number of allowed users :(

[srpape]

I'm having a similar issue. I cannot install the oauth app on the zoom site.

I receive the message "invalid OAuth user state" when I try. Starting meetings works, but I haven't seen the webhook work.

[larkox]

@srpape Are you trying to hit the "install" button at the end of the Zoom setup? That is not needed.

Regarding webhooks, have you configured them on the Zoom side? Is you instance receiving the calls (maybe some info in the server logs)?

[larkox]

@srpape Are you still experiencing issues here?

[srpape]

@larkox Yes, I was hitting the "install" button at the end of the Zoom setup.

I did try to use it anyway, and we had people experiencing issues. I ended up reverting and going back to JWT after messing around with it for quite a while. I'll give it another try at some point, but don't hold the ticket open for me.

[larkox]

Great. If there is anything I can do to help you, do not hesitate to open a new bug, or contact me on Mattermost Community.

[umairjamali]

@vmakarenko Thank you for your patience. Somehow I missed your message. The state should come in the oauth query string. Something like this: https://www.yourinstance.com/plugins/zoom/oauthcomplete?code="really long gibberish"&state="shorter gibberish" Could you check if the URL looks like that? If it is not, there might be a problem with the proxy.

I am facing the same error as being discussed "invalid OAuth user state" .

@larkox
My URL looks like this : https://chat.abc.co/plugins/zoom/oauth2/complete?code=zkXmkQSN6MDggTUFxV4QsiEcn2NuqBV3g

is there anything wrong ?

[larkox]

@mickmister Do you know who can help troubleshooting this?

[mickmister]

Sure, @Kshitij-Katiyar are you or another developer able to look into this?

[Kshitij-Katiyar]

Sure, @Kshitij-Katiyar are you or another developer able to look into this?

@mickmister Sure looking into this. Should i reopen this issue ?

[mickmister]

@Kshitij-Katiyar I'd say let's leave it closed unless it's determined that there needs to be a code change here

@umairjamali Do you have any more information on how this was produced, that may be specific to your environment? I assume you ran /zoom connect to connect your account? Is the plugin configured correctly otherwise?

[umairjamali]

@Kshitij-Katiyar I'd say let's leave it closed unless it's determined that there needs to be a code change here

@umairjamali Do you have any more information on how this was produced, that may be specific to your environment? I assume you ran /zoom connect to connect your account? Is the plugin configured correctly otherwise?

I followed this

our self-hosted Mattermost is https://chat.celus.co
our cloud zoom is celus-io.zoom.us

[mickmister]

@Kshitij-Katiyar We've had another report of this, so reopening the issue. I've put this on the issue board for investigation

[Kshitij-Katiyar]

@mickmister @larkox @umairjamali @vmakarenko
I have explored the code and tried multiple OAuth app configurations; everything appears to be in order.

I have examined the code and experimented with multiple OAuth app configurations; everything appears to be correct.

The existing instructions in the plugin's readme ask us to specify two scopes: meeting: read and user: read. However, when using only these two scopes, it results in the error mentioned above. Upon inspecting the API response, it appears that an additional scope, meeting: write, is required.(Presently the instruction to add meeting:write as scope is not present in plugin readme instructions)

I encountered the same issue when I was using the scopes mentioned in the setup steps of the plugin's readme. However, when using the scopes below, the plugin seems to work perfectly. Please try the scopes below and let me know if it works for you.

@mickmister, I will be creating a pull request (PR) to update the instructions in the readme files.

[mickmister]

@Kshitij-Katiyar Interesting. So having the missing scope in the Zoom UI causes an invalid state error, or invalid OAuth user state error? It seems in this thread we are discussing two different error messages so trying to differentiate.

@srpape Are you able to check if selecting the above 3 OAuth scopes fixes the issue you were experiencing? Thank you

[Kshitij-Katiyar]

@mickmister, the invalid state error is not present in the code. I tried various methods to reproduce the invalid state error but was unable to replicate it. I suspect the user was trying to report the same invalid OAuth user state error but may have accidentally misspelt it.