Why does my login to Xray UI fail with a message “error token exchange” in the browser after entering credentials during the SSO redirect?

Nihal Reddy Chinna Choudhary
2019-01-17 22:21

Summary

When you access the Xray URL, you are redirected to the Artifactory login page for Single Sign On (SSO). Here, after a successful login, the SSO redirect should take you back to the Xray home page. Instead, you may run into an error in the browser, "error token exchange"
 

Affected Versions

Artifactory 6.x
 

Details

When this issue occurs you will notice below error in the Artifactory request.log. The request to the API endpoint, /api/system/gateway/openid/token, results in the HTTP 401 error in the log right after the failed login.

20181219200724|14|REQUEST|10.103.146.36|non_authenticated_user|POST|/api/system/gateway/openid/token|HTTP/1.1|401|1907 

Usually, this should have resulted in a HTTP 200 message for a successful login.

In the xray_server.log with debug enabled we see a HTTP 401 unauthorized error with the message "Failed to get sso info response".
 

Here are related log messages in the xray_server.log:

[2018/12/19 21:21:45 UTC] [EROR] (jfrog.com/xray/access/access_sso.(*AccessSsoClient).ExchangeToken:73) Failed to get sso info response , err: statusCode: 401, models.AccessError{Code:"", Message:"Unauthorized", Detail:""}

[2018/12/19 21:21:45 UTC] [EROR] (jfrog.com/xray/handlers/auth.AuthHandler.SsoExchange:343) statusCode: 401, models.AccessError{Code:"", Message:"Unauthorized", Detail:""} 
 

Resolution

This issue occurs due to absence of the headers X-Artifactory-Override-Base-Url and proxy_pass_header Server in the reverse proxy server or a load balancer that is in front of Artifactory. Generally when Xray or any client communicates with Artifactory server, Artifactory returns some HTTP Response headers with a value along with the response and this includes the Base URL of Artifactory and the Artifactory Server version in the Server header. The HTTP Response header Server including the Artifactory Base URL could get overriden by the reverse proxy server or a Load balancer that is in front of Artifactory.

When this happens the client in this case Xray is expecting the Artifactory base URL and the HTTP header Server with a certain value during the communication with Artifactory. But if the reverse proxy or Load balancer overrides the response from Artifactory that includes the Artifactory Base URL and Server header, then it will result in a failure as Xray service did not get the expected value in the HTTP headers.

In order to resolve this issue, please set the header "X-Artifactory-Override-Base-Url" with the value as the Artifactory URL in the reverse proxy server configuration in front of Artifactory. Along with this please set the header proxy_pass_header with the value Server.

Please note that the protocol to be used for the Artifactory URL should be http if SSL is not setup and https if SSL is enabled. In the below example we are assuming that SSL has been enabled at the reverse proxy server and Artifactory is being accessed with HTTPS.

When updating your reverse proxy configuration please remember to change the variable ${Artifactory_domain} in the below example to your Artifactory FQDN.

 

Here is an example for Nginx:

proxy_set_header X-Artifactory-Override-Base-Url https://${Artifactory_domain}/artifactory;

proxy_pass_header Server;

If you are using only a Load balancer in front of Artifactory, then please set the "Custom URL Base" or "X-Artifactory-Override-Base-Url" header in your Load balancer configuration with the value set to Artifactory URL as in the above example. Along with this the HTTP header Server should be allowed to pass through the Load Balancer and it’s value should not be overridden by the Load balancer.