Ejabberd: [help] oath token

Created on 28 Aug 2017  路  6Comments  路  Source: processone/ejabberd

What version of ejabberd are you using?

17.01
[root@canlmsg01 ejabberd]# rpm -qa | grep ejabberd
ejabberd-17.01-2.fc26.x86_64

What operating system (version) are you using?

Fedora server 26

How did you install ejabberd (source, package, distribution)?

distribution

What did not work as expected? Are there error messages in the log? What
was the unexpected behavior? What was the expected result?

Configure API oath token

Hello Everyone,
Trying configure API oath token access and all the time getting access deny

[root@canlmsg01 ejabberd]# ejabberdctl oauth_issue_token "[email protected]" 31536000 "sasl_auth" Error: access_denied

````
2017-08-27 23:20:22.930 [debug] <0.270.0>@ejabberd_access_permissions:handle_call:138 Command 'oauth_issue_token' execution allowed by rule 'console commands' (CallerInfo=#{caller_module => ejabberd_ctl})
2017-08-27 23:20:22.930 [debug] <0.703.0>@ejabberd_commands:do_execute_command:605 Executing command ejabberd_oauth:oauth_issue_token with Args=["[email protected]",31536000,"sasl_auth"]

````
I didn't add any api_permssions: section I think default should be enough.

Config
````
port: 5280
module: ejabberd_http
request_handlers:
"/websocket": ejabberd_http_ws
"/oauth": ejabberd_oauth
"/api": mod_http_api
# "/pub/muclogs": mod_muc_log_http
web_admin: true
http_bind: true
register: false
captcha: false
oauth_db_type: sql
commands_admin_access: configure
commands:
- add_commands:
- user
# Tokens are valid for a year as default:
auth_expire: 31536000
oauth_access: all

admin:
user:
- "volga629": "canlmsg01.networklab.prod"
- "api-master": "canlmsg01.networklab.prod"

## Only admins can use the configuration interface:
configure:
admin: allow

````

Any help thank you.

picture volga629

Most helpful comment

oauth_access is not an option in listen section, it's top level option, so it should look something like this:

oauth_access: all

listen: 
  - 
    port: 5222
    module: ejabberd_c2s
    certfile: "/etc/ejabberd/server.pem"
    starttls: true
    zlib: true
...
picture prefiks on 29 Aug 2017
👍2 🎉1

All 6 comments

Hello,
Command was executed in your case (so there is nothing wrong with api_permissions), but was rejected be oauth module, most likelly oauth_access: option is wrong in your config, do you have it as top level option (without any indentation before it)?

prefiks picture prefiks on 28 Aug 2017

As you can see in config it set oauth_access: all

volga629 picture volga629 on 28 Aug 2017

Yes but it also looks like it's indented, and it should be not (it's top level option)

prefiks picture prefiks on 29 Aug 2017

I just don't know how exactly should be structure.
Here listen part of the config

````

. ===============

' LISTENING PORTS

#

listen: The ports ejabberd will listen on, which service each is handled

by and what options to start it with.

#

listen:


  • port: 5222
    module: ejabberd_c2s
    certfile: "/etc/ejabberd/server.pem"
    starttls: true
    zlib: true
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ## starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    protocol_options:

    • "no_sslv3"

      ## - "no_tlsv1"

      max_stanza_size: 65536

      shaper: c2s_shaper

      access: c2s


  • port: 5269
    module: ejabberd_s2s_in
    max_stanza_size: 131072
    shaper: s2s_shaper

-
port: 5443
module: ejabberd_http
tls: true
certfile: "/etc/ejabberd/networklab_ca.pem"
request_handlers:
"": mod_http_upload

##
## ejabberd_service: Interact with external components (transports, ...)
##
## -
## port: 8888
## module: ejabberd_service
## access: all
## shaper_rule: fast
## ip: "127.0.0.1"
## hosts:
## "icq.example.org":
## password: "secret"
## "sms.example.org":
## password: "secret"

##
## ejabberd_stun: Handles STUN Binding requests
##
## -
## port: 3478
## transport: udp
## module: ejabberd_stun

##
## To handle XML-RPC requests that provide admin credentials:
##


  • port: 4560
    module: ejabberd_xmlrpc
    maxsessions: 10
    timeout: 5000
    access_commands:
    xmlrpc:
    commands: all
    options: []

  • port: 5280
    module: ejabberd_http
    request_handlers:
    "/websocket": ejabberd_http_ws
    "/oauth": ejabberd_oauth
    "/api": mod_http_api
    web_admin: true
    http_bind: true
    register: false
    captcha: false
    commands_admin_access: configure
    commands:

    • add_commands:



      • users


      • connected_users


        oauth_db_type: sql


        oauth_expire: 280080


        oauth_access: all



  • port: 5282
    module: ejabberd_http
    request_handlers:
    "/websocket": ejabberd_http_ws
    "/oauth": ejabberd_oauth
    # ReST API:
    "/api": mod_http_api
    certfile: "/etc/ejabberd/networklab_ca.pem"
    tls: true

    "/pub/archive": mod_http_fileserver

    web_admin: false
    http_bind: true
    register: false
    captcha: false
    #

    • -

````

volga629 picture volga629 on 29 Aug 2017

oauth_access is not an option in listen section, it's top level option, so it should look something like this:

oauth_access: all

listen: 
  - 
    port: 5222
    module: ejabberd_c2s
    certfile: "/etc/ejabberd/server.pem"
    starttls: true
    zlib: true
...
prefiks picture prefiks on 29 Aug 2017
👍2 🎉1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 10 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ThomasLeister picture ThomasLeister  路  4Comments
Vshnv picture Vshnv  路  4Comments
rahul-l picture rahul-l  路  3Comments
jjdp picture jjdp  路  3Comments
kabirhaxor picture kabirhaxor  路  3Comments