An authentication issue in Zeebe Modeler (OAuth)

Hello,

I have exposed an auth endpoint that returns an access token :

When I enter this endpoint in the Deploy popup in Zeebe Modeler and all the other OAuth details, Zeebe Modeler indicates the error “Unknown error. Please check Zeebe cluster status” in the Contact Point.

Bonus : Is there a way to include gRPC WebDev Tools in Electron ? I need those as they may help me debug and trace all the gRPC messages being exchanged between Zeebe Modeler and the Zeebe Gateway/gRPC server.

Thank you all!

Hi,

the gRPC errors are saved to the log file. On MacOS, you can find them in ~/Library/Logs/Zeebe Modeler/log.log.

After you check the log, if you think it’s the application’s failure, please open an issue at http://github.com/zeebe-io/zeebe-modeler/issues

Hello @barmac,

I have reported a bug for this on Github: Zeebe Modeler OAuth token issue · Issue #296 · zeebe-io/zeebe-modeler · GitHub

I have also added the logs to the issue:

ERROR app:zeebe-api Failed to connect with config (secrets omitted): {
endpoint: {
type: ‘oauth’,
url: ‘localhost:50051’,
clientId: ‘****************************’,
oauthURL: ‘http://localhost:4000/token
}
} Error: 14 UNAVAILABLE: No connection established
at Object.callErrorFromStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call.js:30:26)
at Object.onReceiveStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\client.js:174:52)
at C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call-stream.js:63:35
at Object.onReceiveStatus (C:\dev\experiment\zeebe-modeler\app\node_modules\zeebe-node\dist\lib\GrpcClient.js:138:36)
at InterceptingListenerImpl.onReceiveStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call-stream.js:58:23)
at Object.onReceiveStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\client-interceptors.js:340:141)
at Object.onReceiveStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\client-interceptors.js:303:181)
at Http2CallStream.outputStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call-stream.js:114:27)
at Http2CallStream.maybeOutputStatus (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call-stream.js:153:22)
at Http2CallStream.endCall (C:\dev\experiment\zeebe-modeler\app\node_modules@grpc\grpc-js\build\src\call-stream.js:140:18) {
code: 14,
details: ‘No connection established’,
metadata: Metadata { internalRepr: Map {}, options: {} }
}

Thank you,

It looks like it’s not an authentication issue but rather some other problem. According to the gRPC docs, error 14 means:

The service is currently unavailable. This is most likely a transient condition, which can be corrected by retrying with a backoff. Note that it is not always safe to retry non-idempotent operations.

Can you try to use zeebe-node to connect to your cluster? This is what Zeebe Modeler uses under the hood.

1 Like

Hello @barmac,

I have written and run this snippet:

const zbc = new ZBClient('0.0.0.0:50051', {
	oAuth: {
	  url: 'http://127.0.0.1:4000/token',
	  audience: '***********************************',
	  clientId: '***********************************',
	  clientSecret: '****************************************',
	  cacheOnDisk: true,
	},
	useTLS: true,
});

Here are the logs:

10:52:30.488 | zeebe | INFO: [topology]: 14 UNAVAILABLE: failed to connect to all addresses
E0423 10:52:31.487000000 12952 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
10:52:31.503 | zeebe | INFO: [topology]: Attempt 2 (max: -1).
10:52:31.505 | zeebe | INFO: [topology]: 14 UNAVAILABLE: failed to connect to all addresses
10:52:32.505 | zeebe | INFO: [topology]: Attempt 3 (max: -1).
10:52:32.507 | zeebe | INFO: [topology]: 14 UNAVAILABLE: failed to connect to all addresses
E0423 10:52:33.103000000 12952 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

However, when I do useTLS: false, it does work ! I have another endpoint in HTTPS, and it only works when useTLS is set to false, otherwise, I get the error above!

@barmac : do you think a that a feature that would expose the useTLS value to the end user (as a tick box) would be conceivable in Zeebe Modeler ?

Thank you,

Thanks for the test result. I am happy that you were able to found the root cause of the problem.

@barmac : do you think a that a feature that would expose the useTLS value to the end user (as a tick box) would be conceivable in Zeebe Modeler ?

I’d rather not expose it as a tick as this is strictly related to the endpoint URL: http or https. So then comes the question whether we should detect provided protocol and adjust the option. In my opinion: no, because this could open a security hole as we generally don’t want to make it easier to pass tokens over unencrypted connection.

I have another endpoint in HTTPS, and it only works when useTLS is set to false , otherwise, I get the error above!

Did I get it correctly that you were unable to connect to an HTTPS endpoint? In that case, please open an issue at Issues · zeebe-io/zeebe-modeler · GitHub

1 Like

Thank you @barmac for your feedback.

Indeed, it will expose tokens over an insecure connection.

I have reported this in Github: Unable to connect to an HTTPS endpoint · Issue #297 · zeebe-io/zeebe-modeler · GitHub