Menu
▾
▴
[Unity-idm-discuss] Oauth-RP problem
|
From: Sander A. <sa....@fz...> - 2017-05-04 13:23:21
|
Hi Krzysztof, we want to start unicore jobs by jupyterhub server authenticated by unity. The users signs into jupytherhub by unity (with oauth authorization server). This authentication works fine. The generated token is transferred to unicore. Unicore should use this token to request user attributes from unity. While this request unity throws an AuthenticationException because of an anonymous principal. Our configurations are:oauth-rp authenticator:unityServer.core.authenticators.6.authenticatorName=oauth RP-cxfunityServer.core.authenticators.6.authenticatorType=oauth-rp with cxf-oauth- bearerunityServer.core.authenticators.6.retrievalConfigurationFile=conf /authenticators/empty.jsonunityServer.core.authenticators.6.verificator ConfigurationFile=conf/authenticators/internalOAuthRP.properties internalOAuthRP.properties:unity.oauth2- rp.verificationProtocol=internalunity.oauth2- rp.translationProfile=inputProfileOAuthunity.oauth2- rp.clientSecret=bogusunity.oauth2-rp.httpClientHostnameChecking=WARN SAML Unicore endpoint:unityServer.core.endpoints.11.endpointType=SAMLUnicoreSoapIdPu nityServer.core.endpoints.11.endpointConfigurationFile=conf/endpoints/s aml- webidp.propertiesunityServer.core.endpoints.11.contextPath=/unicore- soapidp- oidcunityServer.core.endpoints.11.endpointRealm=defaultRealmunityServer .core.endpoints.11.endpointName=UNITY UNICORE OIDC SOAP SAML serviceunityServer.core.endpoints.11.endpointAuthenticators=oauthRP-cxf output translation profile for oauth authorization server: 1: condition true Action: createAttribute attribute name: urn:jupyterhub:username expression: idsByType['userName'] 2: condition true Action: createAttribute attribute name: userName expression: idsByType['userName'] 3: condition true Action: createAttribute attribute name: x500Name expression: idsByType['x500Name'] Input translation profile for oauth-rp: 1: condition true Action: mapIdentity unityIdentityType: x500Name expression: attr['x500Name'] credential requirement: Password requirement effect: CREATE_OR_MATCH Why do we need an input translation profile for internal oauth resource provider? If we define the userinfo endpoint to unity itself, unity rejects the request because it does not trust his own demo certificate. (SunCertPathBuilderException: unable to find valid certification path to requested target) Do you have any hint for us? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
