9:29 p.m.
Not knowing whether my satosa instance is fully working yet (see my
other thread) I'm now continuing to try to get the application
(eduMEET) to work with satosa's oidc frontend, as per the app's
published config example:
https://github.com/havfo/multiparty-meeting/blob/master/server/config/confi…
So I've made up a client_id and client_secret on the RP side and
provided the client with an issuerURL (base URL of satosa), let it
request all the scopes in the world and set its own redirect_uri.
With those all set I do see requests to satosa's .well-known endpoints
from the application in satosa logs, e.g.
Found registered endpoint: module name:'oidc', endpoint:
.well-known/openid-configuration
(And of course accessing the endpoint myself I can see that it works
and produces JSON with its config.)
Now on the OP side (satosa oidc frontend) I haven't done any setup
for the client yet, so I guess the error in the log is to be expected:
Error in authn req: Unknown client_id
Now what would be the next steps to register that client?
The request from the client (according to satosa's logs) has these
query parameters (where cid and csec are the correct client_id and
client_secret, respectively):
client_id=cid&scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fexample.org%2Fauth%2Fcallback&state=e30%3D&client_secret=csec
My plugins/frontends/openid_connect_frontend.yaml looks like the
published example, essentially:
module: satosa.frontends.openid_connect.OpenIDConnectFrontend
name: oidc
config:
signing_key_path: /etc/satosa/oidc-provider.key
#db_uri: mongodb://db.example.com # optional: only support MongoDB, will default to
in-memory storage if not specified
client_db_path: /etc/satosa/oidc-clients.json
provider:
client_registration_supported: True
response_types_supported: ['code', 'token', 'id_token']
subject_types_supported: ['public', 'pairwise']
scopes_supported: ['openid', 'email', 'profile']
Only that I tried to enable pretty much everything (all repose and
subject types, all scopes, client registration) since I had no idea
what the RP side wants, yet. (Seems I can remove all response types
except 'code', as per the log shown above.)
I don't have MongoDB set up yet since the comment above suggests an
in-memory store would be used, which is fine for my current testing.
And looking at _create_provider() at frontends/openid_connect.py the
code would use the file referenced by client_db_path if db_uri isn't
set even before falling back to storing it in a variable.
The file referenced in client_db_path exists, is writable by the user
satosa runs as, and currently contains only '{}' (without the quotes).
So IMO that should be sufficient.
Any hints on how to register the application?
The documenation is a bit sparse here
https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#frontend…
only mentioning that *without* dynamic client registration (which I
have enabled for now, but maybe the RP doesn't support it) I'd have to
manually create the data structures in MongoDB (or the file in
client_db_path) for my client, as per the oidc spec for Client
Registration Responses.
Could someone share a json sample to put into the file referenced by
client_db_path (if that's how it's supposed to work)?
Cheers,
-peter
2:05 a.m.
* Peter Schober <peter.schober at univie.ac.at> [2020-03-30 21:29]:
And looking at _create_provider() at
frontends/openid_connect.py the
code would use the file referenced by client_db_path if db_uri isn't set
[...]
Could someone share a json sample to put into the file referenced by
client_db_path (if that's how it's supposed to work)?
For posterity:
insert_client_in_client_db() from one of the tests
https://github.com/IdentityPython/SATOSA/blob/master/tests/satosa/frontends…
provided useful input. At least I got satosa to load the client from
the configured file in client_db_path (in
plugins/frontends/openid_connect_frontend.yaml) with this JSON:
{
"someClientId": {
"response_types": [
"code"
],
"redirect_uris": [
"https://some.example.org/auth/callback"
],
"client_secret": "someClientSecret"
}
}
After a restart of the application server (satosa doesn't seem to pick
up the changes in the client_db otherwise) triggering a login at the
OIDC-enabled application now gets me to:
"Requesting provider: someClientId"
and that in turn triggers a SAML authn request and someone stablishes
the missing state that seemingly caused the "Unkown error" I was
asking about in another thread (with no answers), then SAML WebSSO
completes, attributes are being mapped and I am back "Routing to
frontend: oidc". So far so good.
Of course things still fail with yet another exception:
pyop.exceptions.InvalidAuthorizationCode: eff...cd79 unknown
AFAICT here's the flow, starting with creating that authz code:
[pyop.authz_state.create_authorization_code] creating authz code for scope=openid email
profile
[pyop.authz_state.create_authorization_code] new authz_code=eff...cd79 to
client_id=someClientId for sub=someid at example.org valid_until=1585612419
...
[satosa.proxy_server.unpack_request] read request data: {'grant_type':
'authorization_code', 'code': 'eff...cd79',
'redirect_uri': 'https://some.example.org/auth/callback'}
...
[pyop.client_authentication.verify_client_authentication] client authentication in
Authorization header Basic base64-encoded-client_id_colon_client_secret
[satosa.frontends.openid_connect.token_endpoint] invalid request: eff...cd79 unknown
Traceback (most recent call last):
File
"/usr/local/venv/SATOSA/lib/python3.7/site-packages/satosa/frontends/openid_connect.py",
line 363, in token_endpoint
response = self.provider.handle_token_request(urlencode(context.request), headers)
File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py",
line 324, in handle_token_request
return self._do_code_exchange(token_request, extra_id_token_claims)
File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py",
line 352, in _do_code_exchange
authentication_request =
self.authz_state.get_authorization_request_for_code(token_request['code'])
File
"/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/authz_state.py", line
320, in get_authorization_request_for_code
raise InvalidAuthorizationCode('{} unknown'.format(authorization_code))
pyop.exceptions.InvalidAuthorizationCode: eff...cd79 unknown
I'd have to know anything about oidc in order to know where to even
look how the authz code created above is now unknown and what could
have failed there.
Again, feel free to jump in with responses at any time.
-peter
1683
days inactive
1684
days old
1 comments
1 participants
participants (1)
-
peter.schober@univie.ac.at