-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oidc security configuration prompts a basic dialog #325
Comments
A good start is probably by copying the examples/tests from https://github.com/jakartaee/security/tree/master/tck first, and then modify those depending n what you want or need. Those provide you with a working application with open id connect enabled, which proves that the feature is 1) actually there and 2) also works. Best would be to compare what the app-openid* apps do, and how your own app differs from that. |
yes, I almost copied the app-openid example project client part and configured for auth0 IDP. And added the following dependencies. <dependency>
<groupId>jakarta.platform</groupId>
<artifactId>jakarta.jakartaee-api</artifactId>
</dependency>
<dependency>
<groupId>jakarta.security.enterprise</groupId>
<artifactId>jakarta.security.enterprise-api</artifactId>
<version>3.0.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.glassfish.soteria/jakarta.security.enterprise -->
<dependency>
<groupId>org.glassfish.soteria</groupId>
<artifactId>jakarta.security.enterprise</artifactId>
<version>3.0.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.glassfish.soteria/soteria.spi.bean.decorator.weld -->
<dependency>
<groupId>org.glassfish.soteria</groupId>
<artifactId>soteria.spi.bean.decorator.weld</artifactId>
<version>3.0.0</version>
</dependency> I am not sure why the |
Tried in Glassfish 7.0.0-M8, got the same result, it still popup a HTTP Basic prompt panel in my Firefox browser when accessing the /protected path. Also tried to deploy into the latest Wildfly 27.0.0 preview Alpha 5, the whole flow is working well(1. redirect to Auth0 login page, 2. login, 3. return back to /callback in my application), but when returning the callback or protected page, there is an exception thrown in the page, where I used an Context Path:
/security-oidc-examples
Servlet Path:
/callback
Path Info:
null
Query String:
code=W5wr6BxRoFXF3HNrkGoE9KLBqJaZ4r988MKCdaZFpgA2y&state=9d723ab4-2899-43d8-9a78-095b4fb5ca3e
Stack Trace:
java.lang.NullPointerException: Cannot invoke "com.nimbusds.jwt.JWTClaimsSet.getClaims()" because "jwtClaimsSet" is null
at [email protected]//org.glassfish.soteria.mechanisms.openid.domain.AccessTokenImpl.<init>(AccessTokenImpl.java:64)
at [email protected]//org.wildfly.security.soteria.original.OpenIdCredential.<init>(OpenIdCredential.java:58)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateAuthorizationCode(OpenIdAuthenticationMechanism.java:354)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.authenticate(OpenIdAuthenticationMechanism.java:273)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:171)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) @arjantijms I almost copied the example codes from security TCK, the difference I used a real world Auth0 as Oidc provider. |
Did you got the example applications from the TCK to work? 2 and 3 uses an actual (certified) OpenID Connect provider as well (it starts a separate Tomcat to which that provider is deployed). |
I just copied the example client, and use Auth0 as IDP via a CDI bean. On WildFly, the login is successful, only the final redirect to callback failed in our application. I have checked the Auth0 users history, the login and exchange are successful. |
And did the "example client" work? As the Security TCK normally passes against GlassFish, the "example client" should work (or else the Security TCK would not have passed). As there are 3 "example clients", which one did you exactly copied? Did you also try not copying and running directly from the TCK? Example client 1: https://github.com/jakartaee/security/tree/master/tck/app-openid |
I have explored all of these security TCK examples, my example is closed to the example client 1. But I did some modification.
Check: https://github.com/hantsy/jakartaee10-sandbox/tree/master/security-oidc/src/main/java/com/example In the CallbackServlet, I have tried to redirect to /protected or extract OpenIdContext , neither worked. |
@hantsy I'll take a closer look later, but for now an important question; if you do not do any modifications, does "example client 1" work then? |
Got help from the Redhat guys, https://blogs.nologin.es/rickyepoderi/index.php?/archives/198-Using-jakartaee-10-security-OIDC-with-wildfly-27-preview.html, finally my example works with Local KeyCloak(in Docker) and Okta. But for the Auth0, it throws a NPE in AccessTokenImpl when returning back to my application. Error processing request
Context Path:
/security-oidc-examples
Servlet Path:
/callback
Path Info:
null
Query String:
code=uaOVw2pkvGnnrG-IcVR8qTsu7U2-B8zM2ig6OGBp_6olR&state=48e113ef-4bad-4c29-910e-a41cab8ca968
Stack Trace:
java.lang.NullPointerException: Cannot invoke "com.nimbusds.jwt.JWTClaimsSet.getClaims()" because "jwtClaimsSet" is null
at [email protected]//org.glassfish.soteria.mechanisms.openid.domain.AccessTokenImpl.<init>(AccessTokenImpl.java:64)
at [email protected]//org.wildfly.security.soteria.original.OpenIdCredential.<init>(OpenIdCredential.java:58)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateAuthorizationCode(OpenIdAuthenticationMechanism.java:354)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.authenticate(OpenIdAuthenticationMechanism.java:273)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:171)
at [email protected]//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at [email protected]//org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38)
at [email protected]//org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:106)
at deployment.security-oidc-examples.war//org.jboss.weld.generated.proxies.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism$397943940$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
at [email protected]//org.glassfish.soteria.mechanisms.jaspic.HttpBridgeServerAuthModule.validateRequest(HttpBridgeServerAuthModule.java:89)
at [email protected]//org.wildfly.security.auth.jaspi.impl.ElytronServerAuthContext.validateRequest(ElytronServerAuthContext.java:85)
at [email protected]//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.lambda$validateRequest$0(WrappingServerAuthContext.java:50)
at [email protected]//org.wildfly.security.auth.jaspi.impl.ThreadLocalCallbackHandler.get(ThreadLocalCallbackHandler.java:56)
at [email protected]//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.validateRequest(WrappingServerAuthContext.java:50)
at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:174)
at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:99)
at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.security.elytron-web.undertow-server-servlet@3.0.0.Beta1//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1431)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
at java.base/java.lang.Thread.run(Thread.java:833) And I will test it with the next version of Glassfish. |
Glassfish 7.0.0-M7, Java 17
Sample project: https://github.com/hantsy/jakartaee10-sandbox/tree/master/security-oidc
When running this by
mvn clean package cargo:run
, and navigate to http://localhost:8080/security-oidc-examples/It will pop up a Brower basic prompt to input username and password, did not redirect to the IDP login page.
I used Auth0 in this example, https://github.com/hantsy/jakartaee10-sandbox/blob/master/security-oidc/src/main/resources/openid.properties.local
The text was updated successfully, but these errors were encountered: