Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oidc security configuration prompts a basic dialog #325

Open
hantsy opened this issue Jul 24, 2022 · 9 comments
Open

Oidc security configuration prompts a basic dialog #325

hantsy opened this issue Jul 24, 2022 · 9 comments

Comments

@hantsy
Copy link

hantsy commented Jul 24, 2022

Glassfish 7.0.0-M7, Java 17

Sample project: https://github.com/hantsy/jakartaee10-sandbox/tree/master/security-oidc

When running this by mvn clean package cargo:run, and navigate to http://localhost:8080/security-oidc-examples/

It will pop up a Brower basic prompt to input username and password, did not redirect to the IDP login page.

I used Auth0 in this example, https://github.com/hantsy/jakartaee10-sandbox/blob/master/security-oidc/src/main/resources/openid.properties.local

@hantsy hantsy changed the title Oidc security prompt a basic dialog Oidc security configuration prompts a basic dialog Jul 24, 2022
@arjantijms
Copy link
Contributor

A good start is probably by copying the examples/tests from https://github.com/jakartaee/security/tree/master/tck first, and then modify those depending n what you want or need.

Those provide you with a working application with open id connect enabled, which proves that the feature is 1) actually there and 2) also works.

Best would be to compare what the app-openid* apps do, and how your own app differs from that.

@hantsy
Copy link
Author

hantsy commented Jul 24, 2022

yes, I almost copied the app-openid example project client part and configured for auth0 IDP. And added the following dependencies.

        <dependency>
            <groupId>jakarta.platform</groupId>
            <artifactId>jakarta.jakartaee-api</artifactId>
        </dependency>
        <dependency>
            <groupId>jakarta.security.enterprise</groupId>
            <artifactId>jakarta.security.enterprise-api</artifactId>
            <version>3.0.0</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.glassfish.soteria/jakarta.security.enterprise -->
        <dependency>
            <groupId>org.glassfish.soteria</groupId>
            <artifactId>jakarta.security.enterprise</artifactId>
            <version>3.0.0</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.glassfish.soteria/soteria.spi.bean.decorator.weld -->
        <dependency>
            <groupId>org.glassfish.soteria</groupId>
            <artifactId>soteria.spi.bean.decorator.weld</artifactId>
            <version>3.0.0</version>
        </dependency>

I am not sure why the jakarta.jakartaee-api 10.0.0 does not contains security api 3.0.

@hantsy
Copy link
Author

hantsy commented Sep 14, 2022

Tried in Glassfish 7.0.0-M8, got the same result, it still popup a HTTP Basic prompt panel in my Firefox browser when accessing the /protected path.

Also tried to deploy into the latest Wildfly 27.0.0 preview Alpha 5, the whole flow is working well(1. redirect to Auth0 login page, 2. login, 3. return back to /callback in my application), but when returning the callback or protected page, there is an exception thrown in the page, where I used an OpenIdContext there.

Context Path:
/security-oidc-examples

Servlet Path:
/callback

Path Info:
null

Query String:
code=W5wr6BxRoFXF3HNrkGoE9KLBqJaZ4r988MKCdaZFpgA2y&state=9d723ab4-2899-43d8-9a78-095b4fb5ca3e

Stack Trace:

java.lang.NullPointerException: Cannot invoke "com.nimbusds.jwt.JWTClaimsSet.getClaims()" because "jwtClaimsSet" is null
    at [email protected]//org.glassfish.soteria.mechanisms.openid.domain.AccessTokenImpl.<init>(AccessTokenImpl.java:64)
    at [email protected]//org.wildfly.security.soteria.original.OpenIdCredential.<init>(OpenIdCredential.java:58)
    at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateAuthorizationCode(OpenIdAuthenticationMechanism.java:354)
    at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.authenticate(OpenIdAuthenticationMechanism.java:273)
    at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:171)
    at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

@arjantijms I almost copied the example codes from security TCK, the difference I used a real world Auth0 as Oidc provider.

@arjantijms
Copy link
Contributor

Tried in Glassfish 7.0.0-M8, got the same result, it still popup a prompt panel in my Firefox browser when accessing the /protected path.

Did you got the example applications from the TCK to work? 2 and 3 uses an actual (certified) OpenID Connect provider as well (it starts a separate Tomcat to which that provider is deployed).

@hantsy
Copy link
Author

hantsy commented Sep 14, 2022

I just copied the example client, and use Auth0 as IDP via a CDI bean.

On WildFly, the login is successful, only the final redirect to callback failed in our application. I have checked the Auth0 users history, the login and exchange are successful.

@arjantijms
Copy link
Contributor

I just copied the example client

And did the "example client" work? As the Security TCK normally passes against GlassFish, the "example client" should work (or else the Security TCK would not have passed).

As there are 3 "example clients", which one did you exactly copied? Did you also try not copying and running directly from the TCK?

Example client 1: https://github.com/jakartaee/security/tree/master/tck/app-openid
Example client 2: https://github.com/jakartaee/security/tree/master/tck/app-openid2
Example client 3: https://github.com/jakartaee/security/tree/master/tck/app-openid3

@hantsy
Copy link
Author

hantsy commented Sep 15, 2022

I have explored all of these security TCK examples, my example is closed to the example client 1. But I did some modification.

  1. Only used the CDI bean to load config from properties, in the OpenID annotation registry, I only used EL version in OpenID config.
  2. In the Securedservlet(I created a ProtectedServlet instead) I tried to inject a OpenIdContext to expose the Oidc attributes.
  3. I added another UsernameServlet and tried to inject a SecurityContext(due to the authorization failure I have not tested it at all).

Check: https://github.com/hantsy/jakartaee10-sandbox/tree/master/security-oidc/src/main/java/com/example

In the CallbackServlet, I have tried to redirect to /protected or extract OpenIdContext , neither worked.

@arjantijms
Copy link
Contributor

@hantsy I'll take a closer look later, but for now an important question; if you do not do any modifications, does "example client 1" work then?

@hantsy
Copy link
Author

hantsy commented Sep 17, 2022

Got help from the Redhat guys, https://blogs.nologin.es/rickyepoderi/index.php?/archives/198-Using-jakartaee-10-security-OIDC-with-wildfly-27-preview.html, finally my example works with Local KeyCloak(in Docker) and Okta.

But for the Auth0, it throws a NPE in AccessTokenImpl when returning back to my application.

Error processing request
Context Path:
/security-oidc-examples

Servlet Path:
/callback

Path Info:
null

Query String:
code=uaOVw2pkvGnnrG-IcVR8qTsu7U2-B8zM2ig6OGBp_6olR&state=48e113ef-4bad-4c29-910e-a41cab8ca968

Stack Trace:

java.lang.NullPointerException: Cannot invoke "com.nimbusds.jwt.JWTClaimsSet.getClaims()" because "jwtClaimsSet" is null
	at [email protected]//org.glassfish.soteria.mechanisms.openid.domain.AccessTokenImpl.<init>(AccessTokenImpl.java:64)
	at [email protected]//org.wildfly.security.soteria.original.OpenIdCredential.<init>(OpenIdCredential.java:58)
	at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateAuthorizationCode(OpenIdAuthenticationMechanism.java:354)
	at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.authenticate(OpenIdAuthenticationMechanism.java:273)
	at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:171)
	at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at [email protected]//org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38)
	at [email protected]//org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:106)
	at deployment.security-oidc-examples.war//org.jboss.weld.generated.proxies.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism$397943940$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
	at [email protected]//org.glassfish.soteria.mechanisms.jaspic.HttpBridgeServerAuthModule.validateRequest(HttpBridgeServerAuthModule.java:89)
	at [email protected]//org.wildfly.security.auth.jaspi.impl.ElytronServerAuthContext.validateRequest(ElytronServerAuthContext.java:85)
	at [email protected]//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.lambda$validateRequest$0(WrappingServerAuthContext.java:50)
	at [email protected]//org.wildfly.security.auth.jaspi.impl.ThreadLocalCallbackHandler.get(ThreadLocalCallbackHandler.java:56)
	at [email protected]//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.validateRequest(WrappingServerAuthContext.java:50)
	at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:174)
	at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:99)
	at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
	at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
	at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
	at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
	at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
	at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
	at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
	at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
	at java.base/java.lang.Thread.run(Thread.java:833)

And I will test it with the next version of Glassfish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants