-
-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for openid connect SSO and Bearer Tokens #6494
Conversation
web/src/main/webapp/WEB-INF/config-security/openid-configuration-jose.json
Outdated
Show resolved
Hide resolved
web/src/main/webapp/WEB-INF/config-security/openid-configuration-azure.json
Outdated
Show resolved
Hide resolved
...main/webapp/WEB-INF/config-security/config-security-openidconnectbearer-overrides.properties
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCConfiguration.java
Outdated
Show resolved
Hide resolved
.../java/org/fao/geonet/kernel/security/openidconnect/GeonetworkClientRegistrationProvider.java
Outdated
Show resolved
Hide resolved
.../org/fao/geonet/kernel/security/openidconnect/GeonetworkOAuth2LoginAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
.../org/fao/geonet/kernel/security/openidconnect/GeonetworkOAuth2LoginAuthenticationFilter.java
Outdated
Show resolved
Hide resolved
.../java/org/fao/geonet/kernel/security/openidconnect/GeonetworkClientRegistrationProvider.java
Outdated
Show resolved
Hide resolved
.../src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcLogoutHandler.java
Outdated
Show resolved
Hide resolved
username = org.apache.commons.lang.StringUtils.left(username, 256); //first max 256 chars | ||
} | ||
|
||
if (username != null && username.length() > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change to !org.apache.commons.lang.StringUtils.isBlank(username)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed (new commit)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed - new commit.
username = org.apache.commons.lang.StringUtils.left(username, 256); //first max 256 chars | ||
} | ||
|
||
if (username != null && username.length() > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change to !org.apache.commons.lang.StringUtils.isBlank(username)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/SimpleOidcUser.java
Outdated
Show resolved
Hide resolved
* <p> | ||
* NOTE: to be consistent with the rest of Azure, we use the Groups OID (guid) NOT its name. | ||
*/ | ||
public class MSGraphUserRolesResolver implements UserRolesResolver { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class seems not using the internet proxy configuration if a proxy server is configured, to review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmmm - I don't think the internal spring library is using the proxy either.
I don't think I can support that right now - and there's insufficient examples in the code base.
will not change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@josegar74 - no action on this. Not sure what to do...
...in/java/org/fao/geonet/kernel/security/openidconnect/bearer/SubjectAccessTokenValidator.java
Outdated
Show resolved
Hide resolved
@davidblasby This is the configuration for the environment variables in intellij. And this is an example of the resource access that exists in my keycloak token (This is how it was setup when I was using keycloak drivers)
believe the issue may be related to the roles I have assigned? Documentation says to use the following.
I understand how RegisteredGuest and Administrator work as those roles are not dependent on the groups that a users is assigned to. But Editor and Reviewer are dependent on the groups that the user is assigned to so I don't understand what it means to be an "Editor" in this context. Generally geonetwork would use the highest role for the groups. i.e. if a user was a editor on group a and a reviewer on group b then it would identify the user as a reviewer. And if the user was an editor on group a and a registeredUser on group b then they would be identified as editor. |
...main/webapp/WEB-INF/config-security/config-security-openidconnectbearer-overrides.properties
Outdated
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCConfiguration.java
Show resolved
Hide resolved
@ianwallen - RE: you get 401s This should work with the "a:Editor" - in the same way as the old keycloak provider (I reused the code there). I haven't done any extensive testing of it, however. You should still be able to login and shouldn't be getting 401s. I could be giving the incorrect permissions, but I give the user the "normal" permission (like RegisteredUser and Editor) and then give them the group permissions. Most of that is in the OIDCRoleProcessor. Perhaps we can share a screen and debug next week? Perhaps @josegar74 can confirm, but I think there's two sets of permissions. The "generic" permissions, and then group-specific permissions. Jose - can you explain how to the permissions system works for group (and non-group) permissions? |
.../src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcLogoutHandler.java
Outdated
Show resolved
Hide resolved
@ianwallen - added the OPENIDCONNECT_SERVERMETADATA_CONFIG_URL environment variable (to download the config JSON from idp server on GN startup) and updated doc. I this this just needs a review by @josegar74 (see tags above). |
@davidblasby , I was able to finally get the authentication to work here are the issues that I have encountered. you have the following in the documentation.
The other issue I had was that the role assignments are based on the IdToken instead of the AccessToken. My keycloak configuration did not have the roles in the IdToken and based on the following https://auth0.com/blog/id-token-access-token-what-is-the-difference/ |
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OidcUser2GeonetworkUser.java
Show resolved
Hide resolved
Hi, I don't think that roles should be in the Access Token. In fact, you shouldn't ever parse the access token - it doesn't have to be a JWT. It's only required to be readable/usable by the server that produced them. Azure AD doesn't put roles in the access token - you can request that it puts them in the ID Token (see my documentation - you have to turn this on inside Azure). Since, for Bearer-token-only access (which is an Azure-generated AccessToken), I use the MSGraphRolesResolver (graph.microsoft.com) to get roles. I also included UserInfoAccessTokenRolesResolver, which allows you to get roles from the userinfo endpoint - which is how I use bearer tokens from keycloak. There's also code there for getting roles from an ID token. I should probably default the scopes (OPENIDCONNECT_SCOPES) to "openid profile email". |
I updated so the default scopes are "openid email profile" (norma), and "openid email profile offline_access" (for bearer tokens). |
@ianwallen @josegar74 - I think this is ready to merge??? |
|
I'm not an expert? I tried to find information on best practices for group token and I only found the following.
I don't understand why you seem to indicate AD doesn't put the roles in the access token. To my knowledge it does not put it in any token unless configured as shown here I have not used the role token from Azure so I may not be understanding your configuration. We currently use keycloak, and I would have expected that I could simply changed geonetwork configuration from the keycloak drivers to the this openidconnect driver without making any changes to the keycloak configuration however that was not the case. If you are correct that the ID token should be used, then does this mean that keycloak configuration has a bug because it uses the access token? It is odd that the keycloak drivers defaults to using the access token but the oauth driver default to using the id token. I'm not sure if there should be a configuration parameter for both keycloak and openidconnect drivers indicating where the group token comes from so that it is more clear otherwise I think this can get confusing. |
From that group;
We're using the permissions in a local session, so we should be using the ID token. I tried looking at those instructions (azure ad) for putting the groups in the access token - I tried a long time ago (many many times) and couldnt get it to work, and I tried today and wasn't able to get then in the access token. Perhaps it only works for oauth2 requests (which don't have an ID token) or for saml requests of some type. Most of the online documentation for azure ad oidc follows what I put in the GN documentation for setting up Azure AD - modify the manifest to get it to put tokens in the ID token. I think the keycloak driver is specialized to talk to keycloak and does whats easiest for keycloak. If you look at what the keycloak driver is doing, it basically doing an openid request to keycloak. I expect its putting the groups in the access token so it easier to work with with oauth2 (i.e. not oidc - and only has an access token). Since its controlling both the server and client, it can do anything it wants. I could modify it so that it could grab roles from the access token - but that's probably non-trivial todo. And it would make sense to allow use of the other providers (userinfo, MS Graph) as well. I can put a big note in the documentation saying that it should be using the ID token for roles. However, i think its pretty explicit (it one of the first things mentioned). The Azure AD and Keycloak sections both explain how to setup so it puts the roles in the id token. |
Thank you for looking into it some more. I agree that this may be extra work and I think we can submit a separate PR in the future to make this configurable. I will do one final test on my local system with the new changes and if the user profile changes work then I will approve your PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I identified a few typos that should be easy to fix.
I also noticed some inconsistencies with the naming where it is using both camel case and _ separator. Generally I would expect it to only use one.
i.e. openidconnect_Configuration expecting OIDCConfiguration, openIDConnectConfiguration, oidc_configuration,...
Here are a couple others examples that are inconsistent but there are lots in the code.
openidconnect_UserService
openidconnect_DefaultAuthorizationCodeTokenResponseClient
openidconnect_bearer_tokenvalidator
openidconnect_bearer_rolesprovider
These should all be easy to change if required.
I'm not sure if naming standards are enforced in this project so if @josegar74 wants to approved the PR with these naming issues then I will approve as well
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCRoleProcessor.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/bearer/JwtDecoderFactory.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCConfiguration.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCConfiguration.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OIDCRoleProcessor.java
Outdated
Show resolved
Hide resolved
@ianwallen - I changed the name of all those beans so they don't have "_" in the name. @josegar74 - I will send you a private message for connecting to the geocat keycloak and Azure AD for testing. |
@ianwallen - I think, once jose has a chance to test, we are ready to merge! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ianwallen - I think, once jose has a chance to test, we are ready to merge!
I good with the latest changes so I will approve - thank you
Minor change for group - its was using the wrong isGroupUpdate() |
Added a new environment variable OPENIDCONNECT_LOGSENSITIVE_INFO for logging information. This is pretty much required when setting up so you can trouble shoot. See docs. |
* missed file in #6494 * jose feedback Co-authored-by: Jose García <josegar74@gmail.com> --------- Co-authored-by: david.blasby <david.blasby@geocat.net> Co-authored-by: Jose García <josegar74@gmail.com>
This PR adds support for OAuth2 OpenId Connect Single Sign-on and also support for OIDC Bearer tokens.
This has been tested with Azure AD and with KeyCloak (backed by Azure AD). See the documentation changes in geonetwork/doc#201.