I run into a strange glitch with SonarQube (9.1.0.47736 Developer Edition) + GitLab ( 14.4.2-ee) Authentication.
Both services are running on self-hosted servers and have self-sigend certificates.
On the server which runs Gitlab (user facing) there is an nginx reverse-proxy to have an HTTPS end-point to the useres. (Base URL in SonarQ setting is set accordingly.)
The glitch is that when a user authenticates with his/her Gitlab credentials, he gets redirected onto the Gitlab landing page, and not on SonarQube.
In Gitlab the Callback URL is set to https://IP:PORT/oauth2/callback/gitlab as described in the docs.
If one then manually re-visits the SonarQube address, the user is logged in, so the authentication actually worked.
Before landing on the Gitlab page, there is a blink of such page:
And in the SonarQube web.logs there is this warning:
WARN web[AX0pVQ771Ww8x0fzAAGu][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.generateError(OAuth2AccessTokenJsonExtractor.java:72)
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:40)
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:18)
at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:53)
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:97)
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:92)
at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:115)
at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:102)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:92)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:75)
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:68)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:89)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.plugins.PluginsRiskConsentFilter.doFilter(PluginsRiskConsentFilter.java:77)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
at jdk.internal.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:81)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:68)
at jdk.internal.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
The self-signed certificates of the GitLab service is imported in SQ's truststore, as the Authentication and repository access is working without problems.
Any ideas?
Related
Installed 2 different member servers with Azure AD Connect cloud agents both have an inactive status.
I confirmed;
Both installs complete successfully
Proxy settings are off
Since the Azure port test URL is no longer working I manually tested several of the URLs listed on https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud, they were working
Here is a snippet from the local/server logs;
AADConnectProvisioningAgent.exe Error: 0 : Service bootstrap request failed with exception: 'System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://[UUID].syncfabric.bootstrap.his.msappproxy.net/ConnectorBootstrap that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStreamAsyncResult.CompleteGetRequestStream(IAsyncResult result)
When it says "the remote server returned an error: 407 proxy authentication", is that MS end or our end?
After trying numerous updates to the machine.config file, as with most MS products there are 100 different options to "try" to get the proxy settings right. None worked even after restarting the service.
We eventually gave up on that and manually set the proxy itself to allow the Azrue AD agent computer/IP to skip/bypass authentication and it connected successfully.
I try to consume a CF destination defined as Oauth2ClientCredentials, where the authentication server needs only user/password and not clientid/clientsecret to generate the token. I have a dummy clientid and client secret in the destination configuration as it is mandatory, but it seems that it takes in consideration only the client id/secret and not the token user/password.
The stack trace is:
com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get authentication headers. Destination service returned error: unauthorized_client.
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getAuthTokenHeaders(ScpCfHttpDestinationPropertyFactory.java:376) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getHeadersFromDestination(ScpCfHttpDestinationPropertyFactory.java:328) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestination.getHeaders(ScpCfHttpDestination.java:288) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:86) ~[cloudplatform-connectivity-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:97) ~[cloudplatform-connectivity-3.0.0.jar:na]
at com.demo.destinationtest.MainController.worksoft(MainController.java:111) ~[classes/:na]
The ScpCfHttpDestination value in debugger is:
ScpCfHttpDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=ScpCfDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=DefaultDestination(properties={tokenServiceURLType=Dedicated, clientId=dummy, Description=test connection, tokenServiceUser=mymail#domain.com, tokenServiceURL=http://domain/executionmanager/api/Token, URL=http://domain/executionmanager/api/Requests, Name=test, tokenServicePassword=(hidden), authTokens=[ScpCfDestinationServiceV1Response.DestinationAuthToken(type=, value=, error=unauthorized_client, expiresIn=0)], Type=HTTP, certificates=null, Authentication=OAuth2ClientCredentials, clientSecret=STOTest3, ProxyType=Internet})))
Another destination where I have a good client secret/client id works fine.
The only OAUTH destination supported by cloud foundry is client credentials and not password flow, so this is not a cloud sdk limitation.
I'm trying to configure SAML between MS Azure AD and a WebSphere v9 CF11 server that's sitting in AWS. But it is not recognizing the TAI set up
I've followed all the steps here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html and here https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html
I've installed the SAMLSA app in WebSphere, imported the metadata file provided by my Azure admin, and imported the certificate as well. I've set up the ACSTrustAssociationInterceptor interceptor and put in (what I thought was) the right sso_1.sp.acsUrl and other settings for the server.
The SystemOut logs show that the ACSTrustAssociationInterceptor is loading:
SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully
but the version is null:
SECJ0122I: Trust Association Init Interceptor signature:
After setting it all up as above, when I go to the URL it just shows:
Error 403: AuthenticationFailed
And the log has errors about a missing cookie:
SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.
It's like it's never "intercepted" to be passed. Just fails. No network traffic goes to the AD server
When going to the URL it should redirect me to the MS Login and then back to the app, but it's not
It sounds like you might be missing an sso_1.sp.login.error.page property definition. Without that property, the expectation is that the user will be going to the IdP to initiate the sign on; if you define the property and set its value to your IdP's login page, then the 403 you're getting (as a result of being unauthenticated) will end up redirecting you over to the IdP to initiate the sign on process from there.
More info here in the "bookmark style" description: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html
Getting the following message when accessing a site that should redirect to the OpenAM login page:
No such Organization found.
Contact your system administrator.
Return to Login page
i took a look at the debug logs (Authentication) but just getting null pointer exception:
amAuth:02/18/2014 08:26:12:659 AM GMT: Thread[http-bio-8181-exec-53,5,main]
ERROR: Error creating logFailed message
java.lang.NullPointerException
at com.sun.identity.authentication.service.LoginState.getSSOToken(LoginState.java:1926)
Organization in OpenAM is a REALM. Are you using a REALM in your URL e.g:
http://bla.bla.com/bla?realm=MYREALM
If yes make sure that REALM exists in the OpenAM server.
I registered for a CloudFoundry account and I'm able to login to the website with my registered credentials. However, when I try to use those credentials to login via vmc I get a connection refused:
MyComputer$ vmc login
Attempting login to [http://api.vcap.me]
Email: <*myemail#gmail.com*>
Password: *******
Problem with login to 'http://api/vcap', HTTP exception: Errno::ECONNREFUSED:Connection refused - connect(2), try again or register for an account.
I assume that I need to be logged in to push because I also had the following error:
MyComputer$ vmc push
Would you like to deploy from the current directory? [Yn]:
Application Name: myapp
HTTP exception: Errno::ECONNREFUSED:Connection refused - connect(2)
Is anyone else encountering this issue?
It shows that you're connecting to api.vcap.me, which is typically used for a Cloud Foundry instance running on your local machine that you've installed from the source code. To push apps to CF.com, target it with vmc first:
vmc target https://api.cloudfoundry.com
vmc login myemail#gmail.com