Menu
▾
▴
Re: [Unity-idm-discuss] Oauth-RP problem
|
From: Tim K. <t.k...@fz...> - 2017-05-05 08:14:38
|
Hi Krzysztof, Sander and I are working together on this. On 04.05.2017 20:35, Krzysztof Benedyczak wrote: > hi Sander, > > W dniu 04.05.2017 o 15:22, Sander Apweiler pisze: >> Hi Krzysztof, >> >> we want to start unicore jobs by jupyterhub server authenticated by >> unity. > Sounds interesting :-) > >> The users signs into jupytherhub by unity (with oauth >> authorization server). This authentication works fine. The generated >> token is transferred to unicore. Unicore should use this token to >> request user attributes from unity. While this request unity throws an >> AuthenticationException because of an anonymous principal. > Are you sure that UNICORE part does this job properly and the *access > token* is indeed added to the HTTP Auth header properly? If this is the > case can you enable TRACE logging (on the rest (the first stage - > picking up the token from the request) and oauth (actual verification) > loggers plus maybe also ws) and check whether this token is picked up by > Unity at all and then checked? We should know at which stage the > authentication of UNIORE request fails. We send a Bearer access-token to UNICORE, which includes the user informations (tested by a manual HTTP Get-Request to /oauth2/tokeninfo and /oauth2/userinfo). We assume UNICORE is forwarding this token properly to unity (based on attached log - line 229), but we'll take a closer look at it. I updated the log4j.properties file to ... log4j.logger.unity.server=DEBUG log4j.logger.unity.server.oauth=TRACE log4j.logger.unity.server.rest=TRACE log4j.logger.unity.server.ws=TRACE ... and attached the result. This test was done with ... unity.oauth2-rp.verificationProtocol=internal ... and no defined unity.oauth2-rp.profileEndpoint (see attached log - line 230). > > [CUT] > >> Why do we need an input translation profile for internal oauth resource >> provider? > This is a generic feature - Unity isolates endpoints and authenticators, > so internal verification is separate part to what you map the client to. > But yes - for this special case when unity validates a token issued by > itself so is both OAuth AS and RP we may think about some simplified > config - i.e. map to the owner of the access token and do not perform > any modification. > > >> If we define the userinfo endpoint to unity itself, unity >> rejects the request because it does not trust his own demo certificate. >> (SunCertPathBuilderException: unable to find valid certification path to >> requested target) >> Do you have any hint for us? > I'm sure what do you precisely mean by "define the userinfo endpoint to > unity itself" but in general when not using the internal verification > (which uses the internal API call) but any other mean then the network > connection is made and true - you can get any sort of TLS error. > Authenticator's truststore (httpClientTruststore property) needs to > include CA certificate of the unity server certificate (which is used by > the oauth endpoint). > > Best > Krzysztof > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss Thanks and best regards, Tim Kreuzer |
