Menu
▾
▴
Re: [Unity-idm-discuss] Oauth-RP problem
|
From: Krzysztof B. <kb...@un...> - 2017-05-04 18:35:54
|
hi Sander, W dniu 04.05.2017 o 15:22, Sander Apweiler pisze: > Hi Krzysztof, > > we want to start unicore jobs by jupyterhub server authenticated by > unity. Sounds interesting :-) > The users signs into jupytherhub by unity (with oauth > authorization server). This authentication works fine. The generated > token is transferred to unicore. Unicore should use this token to > request user attributes from unity. While this request unity throws an > AuthenticationException because of an anonymous principal. Are you sure that UNICORE part does this job properly and the *access token* is indeed added to the HTTP Auth header properly? If this is the case can you enable TRACE logging (on the rest (the first stage - picking up the token from the request) and oauth (actual verification) loggers plus maybe also ws) and check whether this token is picked up by Unity at all and then checked? We should know at which stage the authentication of UNIORE request fails. [CUT] > Why do we need an input translation profile for internal oauth resource > provider? This is a generic feature - Unity isolates endpoints and authenticators, so internal verification is separate part to what you map the client to. But yes - for this special case when unity validates a token issued by itself so is both OAuth AS and RP we may think about some simplified config - i.e. map to the owner of the access token and do not perform any modification. > If we define the userinfo endpoint to unity itself, unity > rejects the request because it does not trust his own demo certificate. > (SunCertPathBuilderException: unable to find valid certification path to > requested target) > Do you have any hint for us? I'm sure what do you precisely mean by "define the userinfo endpoint to unity itself" but in general when not using the internal verification (which uses the internal API call) but any other mean then the network connection is made and true - you can get any sort of TLS error. Authenticator's truststore (httpClientTruststore property) needs to include CA certificate of the unity server certificate (which is used by the oauth endpoint). Best Krzysztof |
