I am trying to update jhipster v5.8.2 to v6.0.1
But I get an compilation error
The Issuer "https://dev-672339.oktapreview.com/oauth2/default" provided in the OpenID Configuration did not match the requested issuer "https://login.pomzen.com/oauth2/default"
My previous configuration in application.yml is:
security:
oauth2:
client:
access-token-uri: https://dev-672339.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://login.pomzen.com/oauth2/default/v1/authorize
client-id: {myId}
client-secret: {mySecret}
scope: openid profile email
# Token is valid 3 hours
tokenValidityInSeconds: 10800
resource:
user-info-uri: https://dev-672339.oktapreview.com/oauth2/default/v1/userinfo
My new configuration in application.yml is
security:
oauth2:
client:
provider:
oidc:
issuer-uri: https://login.pomzen.com/oauth2/default
registration:
oidc:
client-id: {myId}
client-secret: {mySecret}
Can you try the following for your issuer?
https://dev-672339.oktapreview.com/oauth2/default
If you tack on /.well-known/openid-configuration on the end, you’ll see all the endpoints you used to have to specify.
https://dev-672339.oktapreview.com/oauth2/default/.well-known/openid-configuration
Make sure your Okta Authorization Server is configured for your custom domain.
Go to: https://dev-672339-admin.oktapreview.com/admin/oauth2/as
Select your "default" authorization server from the list, then click the Edit button.
You should have a dropdown for the Issuer which you can select your custom domain from. (make sure this value matches what is in your application.yml
Do you have anything custom for your HttpSecurity configuration?
Related
I am looking for the help regarding the linking of ADFS with GitLab. Their documentation mentiones only setup with Google and Okta, but no ADFS which makes me crazy. The AD is running at Windows Server 2019, but, I have no access to it since it runs at other organization. Also, I don't have a test account of whatever, I can't test any changes. I'm keeping guessing for 3 days already. The target is to provide an access to Gitlab hosted at our company for our customer, but, with their AD SSO. We need to provide access from both SSOs, ours and customer's.
I have succesfully implemented SSO login from ours Keycloak using OAuth, it is completely fine.
Then, we sent the next data to the admin of customer, like:
ID: https://git.#####.net/
· ReplyURL / Ressource: https://git.########.net/users/auth/openid_connect/callback
· Protocol: OIDC https://docs.gitlab.com/ee/administration/auth/oidc.html#keycloak
· Applikationstyp: Web App
· Claims / Rules: “openid”, “profile”, “email”
Federation Metadata: Nein
Later, from the admin of customer I received back the link to JWKS Keys, Federation Metadata XML, and link to .well-known configuration and UserID that ADFS generates. But, I tried to setup OAuth using ID and link, and I felt like the secret is missing. I was getting "token expired or invalid, and in logs DiscoveryFailed(NotFound). That's why I decided to try SAML instead.
So, the questions:
is it not possible to have two OAuth at once, right?
is it possible to setup OAuth without of secret?
if it's not possible, how do I setup SAML at GitLab correctly?
Which certificate fingerprint should I use, encryption or signature?
which claims and other things must be set in trust in ADFS?
is target URL right?
what else do I miss?
The current configuration looks like this:
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect', 'saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "##### Login", # optional label for login button, defaults to "Openid Connect"
args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "https://user.###########.at/auth/realms/########",
client_auth_method: "query",
discovery: true,
uid_field: "preferred_username",
client_options: {
identifier: "#######-gitlab",
# secret: "<YOUR CLIENT SECRET>",
redirect_uri: "https://git.########.net/users/auth/openid_connect/callback"
}
}
},
{
name: "saml",
label: "###### Login", # optional label for login button, defaults to "Saml"
args: {
assertion_consumer_service_url: "https://git.#####.net/users/auth/saml/callback",
idp_cert_fingerprint: "AF:92:5D:AD:DF:4A:7F.....",
idp_sso_target_url: "https://sts.#########.at/adfs/ls",
issuer: "https://git.#####.net/",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
}
]
I have extracted idp_cert_fingerprint from both certificates present at XML files.
I am not sure if claim is right, so, I would appreciate any help regarding configuring of these thing. What should I do to make it run?
Thank you!
I generated a gateway application with JHipster to test oauth2 through Okta for my organization. I didn't make any changes to the code beyond what was recommended in the readme: The client ID and Secret are in the yml, as well as the issuer uri.
It redirects me to Okta. I log in. It redirects back as expected. Then I got an unauthorized error at /login?error. So I tried adding a permitAll for /login/**. This resulted in error 404.
Something in the recommended configuration is not working as expected.
application.yml:
oauth2:
client:
provider:
oidc:
issuer-uri: https://dev-[numbers].okta.com/oauth2/default
registration:
oidc:
client-id: {my real client id}
client-secret: {my client secret}
scopes:
- profile
- email
- openid
- customScope
What am I doing wrong?
Could it be the environment variables are not being read?
From .okta.env, but I also added them to the environment variables in the intellij configuration
export SECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI="https://dev-[number].okta.com/oauth2/default/v1/authorize"
export SECURITY_OAUTH2_RESOURCE_USER_INFO_URI="https://dev-[number].okta.com/oauth2/default/v1/userinfo"
export SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI="https://dev-[number].okta.com/oauth2/default/v1/introspect"
export SECURITY_OAUTH2_CLIENT_CLIENT_ID={clientid}
export SECURITY_OAUTH2_CLIENT_CLIENT_SECRET={clientsecret}
First I'm describing how I setup my applications then I will describe how I'm using the APIs.
Setup
In my Azure Active Directory, I have two applications registered: UI and Backend
UI has the client ID clientId1 and backend has client ID clientId2 (it's a GUID, but for simplicity)
Both are under the same tenant tentant1 (single tenant)
Backend (Web API)
Backend has an exposed API with scope "api://clientId2/access_as_user" and authorized client "clientId1" with the scope just mentioned selected
I'm using passport and passport-azure-ad (I pretty much copied https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2).
My config:
const config = {
identityMetadata: "https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration",
clientID: "clientId2",
validateIssuer: false,
loggingLevel: 'info',
passReqToCallback: false,
loggingNoPII: false
};
I get this message when starting the server:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":40,"msg":"Production environments should always validate the issuer.","time":"2020-04-11T13:25:44.283Z","v":0}
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":16052,"level":30,"msg":"In BearerStrategy constructor: created strategy with options {\"identityMetadata\":\"https://login.microsoftonline.com/tenant1/v2.0/.well-known/openid-configuration\",\"clientID\":\"clientId2\",\"validateIssuer\":false,\"loggingLevel\":\"info\",\"passReqToCallback\":false,\"loggingNoPII\":false,\"clockSkew\":300,\"allowMultiAudiencesInToken\":false,\"audience\":[\"clientId2\",\"spn:clientId2\"]\"isB2C\":false,\"_isCommonEndpoint\":false}","time":"2020-04-11T13:25:44.285Z","v":0}
Listening on port 5000
UI (Angular SPA)
UI has permissions was granted automatically permission to access Microsoft Graph (profile, user.read, user.read.all -- last one I think I granted). The permissions are in "API permissions"
I went ahead and also granted access to the Backend access_as_user
For the UI code I'm using the MSAL library and again I pretty much copied the repo (https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-angular)
In the protectedResourceMap field I added the following
['https://graph.microsoft.com/v1.0/me', ['user.read']],
['http://localhost:5000', ['api://clientId2/access_as_user']],
I am able to log in and read my user profile, but when trying to access http://localhost:5000/hello (protected), I'm getting the error the title of this question
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":20720,"level":30,"msg":"authentication failed due to: jwt audience is invalid","time":"2020-04-11T13:38:08.700Z","v":0}
--
I can see the Bearer Token coming (in the UI and backend), the server decodes the token (I can see all my profile info in the server logs), but it's saying the JWT is invalid?!
I'm not defining an audience, yet I can see in the token when it gets decoded the audience with aud: 'api://clientId2'.
I can also see when the backend starts it shows the audience as [clientId2, sps:clientId2] by default (step4 on the backend). When I define in the config audience: 'api://clientId2', I get a 403 with the message:
{"name":"AzureAD: Bearer Strategy","hostname":"DESKTOP-NCVLN56","pid":12644,"level":30,"msg":"In Strategy.prototype.jwtVerify: We did not pass Req back to Callback","time":"2020-04-11T16:19:30.398Z","v":0}
Any help would be appreciated. Thank you.
Turns out their code in the repository is not using proper configuration to verify the scope access...
https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2/blob/master/index.js#L41
if (req.authInfo['scp'].split(" ").indexOf("demo.read") >= 0) {
I needed to change the scope from "demo.read" to "access_as_user".
In my case it was just that the clock of my VM where the application was running on was 15mins behind. So the time of the token was created was in the future...
I created a jhipster monolithic application (jhipster version v4.14.2). Also I create a Okta web application with following settings:
Login redirect URIs -> http://localhost:8080/login
Initiate login URI -> http://localhost:8080
Create groups for admin and user, setup the claim in the default authorization server, and assign them to the application and my user
I updated the application.yaml of my jhipster application as follow:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
client-id: ????????
client-secret: ????????
client-authentication-scheme: form
scope: openid profile email
resource:
filter-order: 3
user-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false
When I start the application and then I try to sign in. I do get the Okta login page, however after adding my credential I always get the following error:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Authentication Failed: Could not obtain access token
I followed instruction in jhipster security documention and can't make it work. Any idea why I still get the unauthorized error?
This might have nothing to do with jhipster. Make sure your you URL for accessing the access token is right.
What Grant type are you using?
https://developer.okta.com/authentication-guide/implementing-authentication/
I think the error is here:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
Is "user-authorization-uri" jhipster way of of asking for "issuer URL"?
Error: AADSTS90002: Requested tenant identifier '${azuretenantid}' is
not valid.
Address of redirection
https://login.microsoftonline.com/$%7BazureTenantId%7D/oauth2/authorize?resource=https://graph.windows.net&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=http://localhost:8084/login&response_type=code&scope=profile&state=wTeKZ1
config
azure:
enabled: true
accounts:
- name: exp
requiredGroupMembership: []
providerVersion: V1
clientId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
appKey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
tenantId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
defaultResourceGroup: spinnakerk8s
defaultKeyVault: KeyVault
authn:
oauth2:
enabled: true
client:
clientId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
clientSecret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
accessTokenUri: https://login.microsoftonline.com/${azuretenantid}/oauth2/token
userAuthorizationUri: https://login.microsoftonline.com/${azuretenantid}/oauth2/authorize?resource=https://graph.windows.net
clientAuthenticationScheme: query
scope: profile
resource:
userInfoUri: https://graph.windows.net/me?api-version=1.6
userInfoMapping:
email: userPrincipalName
firstName: givenName
lastName: surname
provider: AZURE
Attempted Solutions:
Correct accessTokenUri address to https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/token
userAuthorizationUri: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize?resource=https://graph.windows.net
Same correction but to ${azure_tenant_id} to match azure-linux.json variable
Reduce Spinnaker version 1.5.0 Attempt all changes
Manually change error page address to include tenant-id page properly pulls up login page
Result: Despite changes, the address is always corrected to include ${azuretenantid} which errors
Expected Result: redirect to login page
It seems pretty clear that your variable ${azuretenantid} is not getting replaced in the URL string.
You should check that you are using the correct syntax to replace that variable with the proper Azure tenant id.
Otherwise, you can replace ${azuretenantid} with common, and use the common endpoint to try and automatically discover the correct tenant for the given user. See more details about the common endpoint here.