Getting 403 user unauthorized while connecting to my solid server with angular demo app

Hi i am running a private solid server. I can register an account, successfully login and read and write my profile.

I started playing with the angular example app (https://solid.inrupt.com/docs/writing-solid-apps-with-angular), but i cant read or write my profile. I enter the URL of my solid server, get redirected to the servers login page, login and get then redirected back to the angular app showing an empty profile. If I try to change a value of the profile I get “403 user unauthorized”. The problem seems to be that the agent submitted to the server for the acl check is null.

If I try the same thing with the solid.community server everything works fine. Thus it has to be a problem with my solid server. I have appended my server config, the debug output from server startup and the debug output from the server for accessing the profile with the angular app.

Because as a new user i am only allowed to publish two links in a post I had to change www to , .de to <.de> and so on. Additionally i change my domain name to <MY_DOMANY> and omitted some details with .

Server Config:

{
“root”: “/usr/src/app/data”,
“port”: “8443”,
“serverUri”: “https://<MY_DOMAIN>:8443”,
“webid”: true,
“configPath”: “./config”,
“configFile”: “./config.json”,
“dbPath”: “./.db”,
“sslKey”: “/run/secrets/<MY_DOMAIN>.key”,
“sslCert”: “/run/secrets/<MY_DOMAIN>.cert”,
“multiuser”: true,
“emailHost”: “smtp.1und1<.de>”,
“emailPort”: “587”,
“emailAuthUser”: “no-reply@<MY_DOMAIN>”,
“emailAuthPass”: “pw”,
“enforceToc”: false,
“disablePasswordChecks”: false,
“supportEmail”: “support@<MY_DOMAIN>”,
“server”: {
“name”: “<MY_DOMAIN>”,
“description”: “”,
“logo”: “”
}
}

Server Startup Debug output:

10:06:14 GMT solid:settings Server URI: https://<MY_DOMAIN>:8443
10:06:14 GMT solid:settings Auth method: oidc
10:06:14 GMT solid:settings Strict origins: true
10:06:14 GMT solid:settings Allowed origins: https://apps.solid.invalid
10:06:14 GMT solid:settings Db path: ./.db
10:06:14 GMT solid:settings Config path: ./config
10:06:14 GMT solid:settings Suffix Acl: .acl
10:06:14 GMT solid:settings Suffix Meta: .meta
10:06:14 GMT solid:settings Filesystem Root: /usr/src/app/data
10:06:14 GMT solid:settings Allow WebID authentication: true
10:06:14 GMT solid:settings Live-updates: true
10:06:14 GMT solid:settings Multi-user: true
10:06:14 GMT solid:settings Suppress default data browser app: undefined
10:06:14 GMT solid:settings Default data browser app file path: default
10:06:14 GMT solid:settings Base URL (–mount): /
10:06:14 GMT solid:settings SSL Private Key path: /run/secrets/<MY_DOMAIN>.key
10:06:14 GMT solid:settings SSL Certificate path: /run/secrets/<MY_DOMAIN>.cert
Solid server () running on https://:8443/
Press +c to stop
10:06:14 GMT solid:authentication Provider keys loaded from config
10:06:15 GMT solid:authentication Provider keychain initialized
10:06:15 GMT solid:authentication Not sleeping before client registration…
10:06:16 GMT solid:authentication Client not present for issuer https://<MY_DOMAIN>:8443, initializing new client
10:06:16 GMT solid:authentication Registering new client for issuer https://<MY_DOMAIN>:8443
10:06:37 GMT solid:authentication Error registering a new client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443
at ClientRequest. (/usr/local/lib/node_modules/solid-server/node_modules/node-fetch/lib/index.js:1444:11)
at ClientRequest.emit (events.js:189:13)
at TLSSocket.socketErrorListener (_http_client.js:392:9)
at TLSSocket.emit (events.js:189:13)
at emitErrorNT (internal/streams/destroy.js:82:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
message:
‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }
10:06:37 GMT solid:authentication Error initializing local RP client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443
at ClientRequest. (/usr/local/lib/node_modules/solid-server/node_modules/node-fetch/lib/index.js:1444:11)
at ClientRequest.emit (events.js:189:13)
at TLSSocket.socketErrorListener (_http_client.js:392:9)
at TLSSocket.emit (events.js:189:13)
at emitErrorNT (internal/streams/destroy.js:82:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
message:
‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }

Server Debug output for the request:

09:33:22 GMT solid:ACL Permissions on https://<MY_DOMAIN>:8443/ for (none): read
09:33:22 GMT solid:ACL Permissions on https://<MY_DOMAIN>:8443/ for public: read
09:33:22 GMT solid:get / on <MY_DOMAIN>
09:33:22 GMT solid:handlers GET – Reading /usr/src/app/data/<MY_DOMAIN>/index.html
09:34:50 GMT solid:authentication User not authenticated, sending to /login
09:35:06 GMT solid:authentication Logging in via username + password
09:35:06 GMT solid:authentication Attempting to login user: jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:06 GMT solid:authentication User found, password matches
09:35:06 GMT solid:authentication Initializing user session with webId: https://jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:06 GMT solid:authentication Login successful, redirecting to https://<MY_DOMAIN>:8443/authorize?response_type=id_token%20token&display=&scope=openid&client_id=&redirect_uri=&state=&nonce=&request=
09:35:06 GMT solid:authentication User is already authenticated as https://jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:07 GMT solid:authentication Rejecting session for https://jason07.<MY_DOMAIN>:8443/profile/card#me from http://:4200
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Mode required and allowed:<http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Mode required and allowed:<http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Write>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Write> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Append>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Append> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Control>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Control> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Write>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Write> Denying with User Unauthorized
09:35:08 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:08 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:08 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:08 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:08 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Append>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Append> Denying with User Unauthorized
09:35:08 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:08 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:08 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:08 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:08 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Control>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Control> Denying with User Unauthorized
09:35:08 GMT solid:ACL Permissions on https://jason07.<MY_DOMAIN>:8443/profile/card for (none): read
09:35:08 GMT solid:ACL Permissions on https://jason07.<MY_DOMAIN>:8443/profile/card for public: read
09:35:08 GMT solid:get /profile/card on jason07.<MY_DOMAIN>
09:35:08 GMT solid:handlers GET – Reading /usr/src/app/data/jason07.<MY_DOMAIN>/profile/card$.ttl

Sounds a bit like a problem I’m struggling with as well (the null agent), but I think your problem is something else. This is probably the root cause:

‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }
10:06:37 GMT solid:authentication Error initializing local RP client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443

I’m not familiar with the EAI_AGAIN error, but it looks node related - timeout on dns lookup according to this post: javascript - What's the cause of the error 'getaddrinfo EAI_AGAIN'? - Stack Overflow

So I would check if hostnames are ok everywhere - make sure you also have the jason07 subdomain correctly setup in the host file or dns.

It sounds like you might be experiencing a known regression bug on NSS v5. There is a fix waiting to be merged, but stuff takes a bit of time.

If you’ve set up the server by cloning the NSS repo, you can check out the branch fix/faulty-403 if you want to try out the fix.

I managed to get rid of the EAI_AGAIN error. I am running the solid server in a docker container and the problem was that the container had no internet access. I could not ping the public google DNS at 8.8.8.8 from inside the container, but the server answered my request anyway. That behavior was a little bit weird. It seems that a container restart fixed this. Now the server starts without any errors, but the issue with the null agent still persist.

I have installed solid from npm in a docker container. I have done a rollback to version 4.4.1 and now the angular app has access as intended. If I have some time to test the fix I will post the result here.
Thank you for your answers!

(
I have tried out the fix. It works as intended. I now get a 403 Unknown Origin (maybe the error named a little bit different). If I disable strict origins I have proper read and write access to the pod with the angular app.

I also disabled strict origins in my nss 5.0.0-beta.7 server, but that does not fix it. Thus the bug is more than just a wrong error code sent, am I right?

My server running nss 4.4.1 seems to just ignore origins. Probably the feature is not implemented in that version.

Thanks for your help!

Could be that the handling of trustedOrigins when turned off is a bit off (not that well tested, I must admit)… If you want to and are able to create an issue with logs and stuff, that is highly appreciated

I have created logs for nss 4.4.1, nss 5.0.0-beta.7 and the version from branch /fix-faulty403 with strict enabled and strict disabled. I have read the issue you have submitted, reviewed the logs and my conclusion is, that it is exactly what is happening on my server. It sends a 403 unauthorized and thus the origin check seems not to happen, because the session is closed before that. The origin check happens after the agent check.

Therefore I think there is no need to open a new issue.