Getting 403 user unauthorized while connecting to my solid server with angular demo app

Hi i am running a private solid server. I can register an account, successfully login and read and write my profile.

I started playing with the angular example app (https://solid.inrupt.com/docs/writing-solid-apps-with-angular), but i cant read or write my profile. I enter the URL of my solid server, get redirected to the servers login page, login and get then redirected back to the angular app showing an empty profile. If I try to change a value of the profile I get “403 user unauthorized”. The problem seems to be that the agent submitted to the server for the acl check is null.

If I try the same thing with the solid.community server everything works fine. Thus it has to be a problem with my solid server. I have appended my server config, the debug output from server startup and the debug output from the server for accessing the profile with the angular app.

Because as a new user i am only allowed to publish two links in a post I had to change www to , .de to <.de> and so on. Additionally i change my domain name to <MY_DOMANY> and omitted some details with .

Server Config:

{
“root”: “/usr/src/app/data”,
“port”: “8443”,
“serverUri”: “https://<MY_DOMAIN>:8443”,
“webid”: true,
“configPath”: “./config”,
“configFile”: “./config.json”,
“dbPath”: “./.db”,
“sslKey”: “/run/secrets/<MY_DOMAIN>.key”,
“sslCert”: “/run/secrets/<MY_DOMAIN>.cert”,
“multiuser”: true,
“emailHost”: “smtp.1und1<.de>”,
“emailPort”: “587”,
“emailAuthUser”: “no-reply@<MY_DOMAIN>”,
“emailAuthPass”: “pw”,
“enforceToc”: false,
“disablePasswordChecks”: false,
“supportEmail”: “support@<MY_DOMAIN>”,
“server”: {
“name”: “<MY_DOMAIN>”,
“description”: “”,
“logo”: “”
}
}

Server Startup Debug output:

10:06:14 GMT solid:settings Server URI: https://<MY_DOMAIN>:8443
10:06:14 GMT solid:settings Auth method: oidc
10:06:14 GMT solid:settings Strict origins: true
10:06:14 GMT solid:settings Allowed origins: https://apps.solid.invalid
10:06:14 GMT solid:settings Db path: ./.db
10:06:14 GMT solid:settings Config path: ./config
10:06:14 GMT solid:settings Suffix Acl: .acl
10:06:14 GMT solid:settings Suffix Meta: .meta
10:06:14 GMT solid:settings Filesystem Root: /usr/src/app/data
10:06:14 GMT solid:settings Allow WebID authentication: true
10:06:14 GMT solid:settings Live-updates: true
10:06:14 GMT solid:settings Multi-user: true
10:06:14 GMT solid:settings Suppress default data browser app: undefined
10:06:14 GMT solid:settings Default data browser app file path: default
10:06:14 GMT solid:settings Base URL (–mount): /
10:06:14 GMT solid:settings SSL Private Key path: /run/secrets/<MY_DOMAIN>.key
10:06:14 GMT solid:settings SSL Certificate path: /run/secrets/<MY_DOMAIN>.cert
Solid server () running on https://:8443/
Press +c to stop
10:06:14 GMT solid:authentication Provider keys loaded from config
10:06:15 GMT solid:authentication Provider keychain initialized
10:06:15 GMT solid:authentication Not sleeping before client registration…
10:06:16 GMT solid:authentication Client not present for issuer https://<MY_DOMAIN>:8443, initializing new client
10:06:16 GMT solid:authentication Registering new client for issuer https://<MY_DOMAIN>:8443
10:06:37 GMT solid:authentication Error registering a new client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443
at ClientRequest. (/usr/local/lib/node_modules/solid-server/node_modules/node-fetch/lib/index.js:1444:11)
at ClientRequest.emit (events.js:189:13)
at TLSSocket.socketErrorListener (_http_client.js:392:9)
at TLSSocket.emit (events.js:189:13)
at emitErrorNT (internal/streams/destroy.js:82:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
message:
‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }
10:06:37 GMT solid:authentication Error initializing local RP client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443
at ClientRequest. (/usr/local/lib/node_modules/solid-server/node_modules/node-fetch/lib/index.js:1444:11)
at ClientRequest.emit (events.js:189:13)
at TLSSocket.socketErrorListener (_http_client.js:392:9)
at TLSSocket.emit (events.js:189:13)
at emitErrorNT (internal/streams/destroy.js:82:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
at process._tickCallback (internal/process/next_tick.js:63:19)
message:
‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }

Server Debug output for the request:

09:33:22 GMT solid:ACL Permissions on https://<MY_DOMAIN>:8443/ for (none): read
09:33:22 GMT solid:ACL Permissions on https://<MY_DOMAIN>:8443/ for public: read
09:33:22 GMT solid:get / on <MY_DOMAIN>
09:33:22 GMT solid:handlers GET – Reading /usr/src/app/data/<MY_DOMAIN>/index.html
09:34:50 GMT solid:authentication User not authenticated, sending to /login
09:35:06 GMT solid:authentication Logging in via username + password
09:35:06 GMT solid:authentication Attempting to login user: jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:06 GMT solid:authentication User found, password matches
09:35:06 GMT solid:authentication Initializing user session with webId: https://jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:06 GMT solid:authentication Login successful, redirecting to https://<MY_DOMAIN>:8443/authorize?response_type=id_token%20token&display=&scope=openid&client_id=&redirect_uri=&state=&nonce=&request=
09:35:06 GMT solid:authentication User is already authenticated as https://jason07.<MY_DOMAIN>:8443/profile/card#me
09:35:07 GMT solid:authentication Rejecting session for https://jason07.<MY_DOMAIN>:8443/profile/card#me from http://:4200
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Mode required and allowed:<http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL Using ACL https://jason07.<MY_DOMAIN>:8443/profile/.acl for ./card
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL Mode required and allowed:<http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Write>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Write> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Append>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Append> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:07 GMT solid:ACL Check failed: User Unauthorized
09:35:07 GMT solid:ACL Agent or group: Ok, its public.
09:35:07 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:07 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:07 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Control>
09:35:07 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Control> Denying with User Unauthorized
09:35:07 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:07 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:07 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:07 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:07 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Write>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Write> Denying with User Unauthorized
09:35:08 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:08 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:08 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:08 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:08 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Append>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Append> Denying with User Unauthorized
09:35:08 GMT solid:ACL accessDenied: checking access to <https://jason07.<MY_DOMAIN>:8443/profile/card> by null and origin <http://:4200>
09:35:08 GMT solid:ACL 2 default authentications about <https://jason07.<MY_DOMAIN>:8443/profile/> in <https://jason07.<MY_DOMAIN>:8443/profile/.acl>
09:35:08 GMT solid:ACL Checking auth <https://jason07.<MY_DOMAIN>:8443/profile/.acl#owner> with agent null
09:35:08 GMT solid:ACL Agent or group: Fail: not public and not logged on.
09:35:08 GMT solid:ACL The agent/group check fails
09:35:08 GMT solid:ACL Check failed: User Unauthorized
09:35:08 GMT solid:ACL Agent or group: Ok, its public.
09:35:08 GMT solid:ACL Mode allowed: <http://.w3<.org>/ns/auth/acl#Read>
09:35:08 GMT solid:ACL accessDenied: modeURIorReasons: [“User Unauthorized”,“http://.w3<.org>/ns/auth/acl#Read”]
09:35:08 GMT solid:ACL checking <http://.w3<.org>/ns/auth/acl#Control>
09:35:08 GMT solid:ACL MODE REQUIRED NOT ALLOWED: <http://.w3<.org>/ns/auth/acl#Control> Denying with User Unauthorized
09:35:08 GMT solid:ACL Permissions on https://jason07.<MY_DOMAIN>:8443/profile/card for (none): read
09:35:08 GMT solid:ACL Permissions on https://jason07.<MY_DOMAIN>:8443/profile/card for public: read
09:35:08 GMT solid:get /profile/card on jason07.<MY_DOMAIN>
09:35:08 GMT solid:handlers GET – Reading /usr/src/app/data/jason07.<MY_DOMAIN>/profile/card$.ttl

Sounds a bit like a problem I’m struggling with as well (the null agent), but I think your problem is something else. This is probably the root cause:

‘request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443’,
type: ‘system’,
errno: ‘EAI_AGAIN’,
code: ‘EAI_AGAIN’ }
10:06:37 GMT solid:authentication Error initializing local RP client: { FetchError: request to https://<MY_DOMAIN>:8443/.well-known/openid-configuration failed, reason: getaddrinfo EAI_AGAIN <MY_DOMAIN> <MY_DOMAIN>:8443

I’m not familiar with the EAI_AGAIN error, but it looks node related - timeout on dns lookup according to this post: https://stackoverflow.com/questions/40182121/error-getaddrinfo-eai-again

So I would check if hostnames are ok everywhere - make sure you also have the jason07 subdomain correctly setup in the host file or dns.

1 Like

It sounds like you might be experiencing a known regression bug on NSS v5. There is a fix waiting to be merged, but stuff takes a bit of time.

If you’ve set up the server by cloning the NSS repo, you can check out the branch fix/faulty-403 if you want to try out the fix.

2 Likes

I managed to get rid of the EAI_AGAIN error. I am running the solid server in a docker container and the problem was that the container had no internet access. I could not ping the public google DNS at 8.8.8.8 from inside the container, but the server answered my request anyway. That behavior was a little bit weird. It seems that a container restart fixed this. Now the server starts without any errors, but the issue with the null agent still persist.

I have installed solid from npm in a docker container. I have done a rollback to version 4.4.1 and now the angular app has access as intended. If I have some time to test the fix I will post the result here.
Thank you for your answers!

1 Like

(
I have tried out the fix. It works as intended. I now get a 403 Unknown Origin (maybe the error named a little bit different). If I disable strict origins I have proper read and write access to the pod with the angular app.

I also disabled strict origins in my nss 5.0.0-beta.7 server, but that does not fix it. Thus the bug is more than just a wrong error code sent, am I right?

My server running nss 4.4.1 seems to just ignore origins. Probably the feature is not implemented in that version.

Thanks for your help!

1 Like

Could be that the handling of trustedOrigins when turned off is a bit off (not that well tested, I must admit)… If you want to and are able to create an issue with logs and stuff, that is highly appreciated :slight_smile:

I have created logs for nss 4.4.1, nss 5.0.0-beta.7 and the version from branch /fix-faulty403 with strict enabled and strict disabled. I have read the issue you have submitted, reviewed the logs and my conclusion is, that it is exactly what is happening on my server. It sends a 403 unauthorized and thus the origin check seems not to happen, because the session is closed before that. The origin check happens after the agent check.

Therefore I think there is no need to open a new issue.

1 Like