Can't login to brand new install. What am I doing wrong?

I’m trying to play with PrivacyIdea, but I’m unable to login. I installed it in a Docker container (from the Debian Stable image) with pip, ran pi-manage createdb, pi-manage create_enckey, pi-manage create_audit_keys, pi-manage admin add finn, all of which seemed to work fine. Then when I went to the web UI to login, typed my username and password, hit enter and got a red alert in the corner saying “Authentication failed. Expected a string value”. The following traceback is printed to the console:

[2018-04-27 05:40:47,381] ERROR in app: Exception on /auth [POST]
Traceback (most recent call last):
  File "/home/privacyidea/.local/lib/python2.7/site-packages/flask/app.py", line 2284, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/privacyidea/.local/lib/python2.7/site-packages/flask/app.py", line 1807, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/flask/app.py", line 1710, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/flask/app.py", line 1805, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/privacyidea/.local/lib/python2.7/site-packages/flask/app.py", line 1791, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/privacyidea/api/lib/postpolicy.py", line 102, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/privacyidea/api/auth.py", line 292, in get_auth_token
    secret)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/jwt/api_jwt.py", line 55, in encode
    json_payload, key, algorithm, headers, json_encoder
  File "/home/privacyidea/.local/lib/python2.7/site-packages/jwt/api_jws.py", line 104, in encode
    key = alg_obj.prepare_key(key)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/jwt/algorithms.py", line 140, in prepare_key
    key = force_bytes(key)
  File "/home/privacyidea/.local/lib/python2.7/site-packages/jwt/utils.py", line 30, in force_bytes
    raise TypeError('Expected a string value')
TypeError: Expected a string value

I’m at a bit of a loss for how to proceed. I have committed my Dockerfile to a repo here, if anyone wants to try to reproduce it.

Hi Finn,
I don’t know much about docker, but is it possible that the container doesn’t properly set the SECRET_KEY option in pi.cfg? If I see read config.py correctly, it should be read from the environment, but I don’t see where its value is actually set. This would explain why creating the JWT token fails.

Ah, I did indeed miss that environment variable! Thanks for the tip, I’ve updated the repo to have a SECRET_KEY environment variable. Unfortunately, it doesn’t seem to have helped, I’m still getting the exact same issue. There isn’t a whole lot of docker magic going on here, but perhaps I’ll try it outside of a container. Is PrivacyIdea expected to work on a basic Debian Stretch install?

Hm, weird! Well, I haven’t tried it recently, but since the docker file uses pip to install privacyIDEA, I see no reason why it shouldn’t work on Debian stretch.

If I had to guess, I would say that the SECRET_KEY environment variable somehow still is not passed down to the pi.cfg file correctly. Could you, for debugging purposes, try to set a fixed SECRET_KEY in the config file?

On a related note, I also noticed PI_PEPPER is missing from the config file which apparently still allows to start privacyIDEA but would be bad™ in a production setting.

Ah hah, that was it! SECRET_KEY was being set, but to handle some permission issues I was starting the initial container command as root, running chown, then sudoing to a lower user for everything else, but sudo wasn’t passing through the environment variable. adding -E (and -H to make it not pass through $HOME) seems to have fixed it. Thanks!

Hah, that’s a subtle thing! Nice to hear you got it working!