unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Application Error while Logging in

[Roman K. <ro...@un...>]

Dear Sander,

Are there any news with regards to additional information?

Thank you,
Roman


pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Krzysztof,
> we will bring the information as soon as possible.
>
> Best regards,
> Sander
>
> On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote:
> > Dear Laura, Sander,
> >
> > W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> > > Dear Krzysztof, Dear Roman,
> > >
> > > we were just about to install unity 3.13.0 and then start testing.
> > > To
> > > do this, we first switched from unity 3.11.2 to unity 3.12.0, then
> > > to
> > > 3.13.0. After that, we received an application error message when
> > > logging in (see attached screenshot). Unfortunately we could not
> > > find
> > > any error message in the stack trace, so we switched back to
> > > 3.12.0.
> > > There we got the same error message at login, but then we could
> > > also
> > > find an error message in the stack trace. This is also attached as
> > > a
> > > txt file.
> >
> > So we have found the problem in 3.12 causing your error. We can fix
> > it,
> > no problem, however I don't think it makes a lot of sense: it is a
> > minor
> > bug, which will only occur on a database which was run on 3.13, and
> > then
> > used in 3.12. This problem on 3.12 is also for sure 100% not related
> > to
> > the (serious) sign-in problem you observed on 3.13.
> >
> > That said, to investigate the real issue we need to get back to 3.13,
> > and diagnose the problem in there. In case of error like in your
> > screenshot, you should rather get a stacktrace or at least ERROR
> > message
> > in log. It is possible we have some omission in logging, but
> > unlikely.
> >
> > Can you please first enable debug logging, then repeat your failing
> > sign-in on 3.13 and inspect log files one more time (or share it with
> > us)? We need to find some clues on what is failing. Without access to
> > your database it will be the only way forward.
> >
> > Best,
> > Krzysztof
> >
> >
>
> --
> Federated Systems and Data
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
> Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] ORCID login is failing

[Sander A. <sa....@fz...>]

Hi Krzysztof,
the login using ORCID is working again without any changes. Maybe it
was just a problem on ORCID side.

Best regards,
Sander

On Thu, 2023-06-15 at 13:34 +0200, Sander Apweiler wrote:
> Hi Krzysztof, hi Roman,
> we encountered a problem using ORCID for authentication.
> The login is failing an the logs (see below) give an error about
> missing access_token and it seems that ORCID is return an
> unauthorized
> message. I checked my settings at ORCID an I do not see issues with
> the
> registered client or in my account. Do you know if they changed
> something at the API? We are still running unity 3.11.2.
> 
> 
> 
> 2023-06-15T13:20:30,649 [qtp1372725646-3068] INFO 
> unity.server.oauth.RedirectRequestHandler: Starting OAuth redirection
> to OAuth provider
> https://orcid.org/oauth/authorize?response_type=code&redirect
> _uri=https%3A%2F%2Flogin.helmholtz.de%2Funitygw%2Foauth2ResponseConsu
> mer&state=7d7a2760-5389-433a-a6f1-0bfdd356589b&client_id=APP-
> FW26H90Q59NZDYOY&scope=%2Fauthenticate&show_login=true
> 2023-06-15T13:20:50,368 [qtp1372725646-3019] WARN 
> unity.server.oauth.OAuth2Verificator: Error received. Contents:
> {"error":"unauthorized","error_description":"An Authentication object
> was not found i
> n the SecurityContext"}
> 
> 2023-06-15T13:20:50,368 [qtp1372725646-3019] INFO 
> unity.server.oauth.OAuth2Verificator: OAuth2 authorization code
> verification or processing failed
> pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException:
> Problem during user information retrieval
>         at
> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthentica
> tedInput(OAuth2Verificator.java:334) ~[unity-server-oauth-
> 3.11.2.jar:?]
>         at
> pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthAuthzRespo
> nse(OAuth2Verificator.java:262) ~[unity-server-oauth-3.11.2.jar:?]
>         at
> pl.edu.icm.unity.oauth.client.OAuth2Verificator.processResponse(OAuth
> 2Verificator.java:243) ~[unity-server-oauth-3.11.2.jar:?]
>         at
> pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.process
> Answer(RedirectedAuthnState.java:99) ~[unity-server-engine-api-
> 3.11.2.jar:?]
>         at
> pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl
> .processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.jav
> a:62) ~[unity-server-engine-3.11.2.jar:?]
>         at
> pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl
> .processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity-
> server-engine-3.11.2.jar:?]
>         at
> pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProc
> essingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.j
> ava:78) ~[unity-server-web-common-3.11.2.jar:?]
>         at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202
> ) ~[jetty-servlet-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandle
> r.java:1635) ~[jetty-servlet-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java
> :527) ~[jetty-servlet-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl
> er.java:221) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl
> er.java:1571) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl
> er.java:221) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl
> er.java:1383) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle
> r.java:176) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:
> 484) ~[jetty-servlet-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle
> r.java:1544) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle
> r.java:174) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle
> r.java:1305) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j
> ava:129) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
> .java:122) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIP
> SettingHandler.java:68) ~[unity-server-engine-3.11.2.jar:?]
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont
> extHandlerCollection.java:192) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
> .java:122) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle
> r.java:301) ~[jetty-rewrite-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
> .java:122) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.
> java:822) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
> .java:122) ~[jetty-server-10.0.12.jar:10.0.12]
>         at org.eclipse.jetty.server.Server.handle(Server.java:563)
> ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:
> 195) ~[unity-server-engine-3.11.2.jar:?]
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java
> :505) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
> ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
> ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.jav
> a:282) ~[jetty-server-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(Abstra
> ctConnection.java:314) ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(S
> slConnection.java:558) ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:
> 379) ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java
> :146) ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
> ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChanne
> lEndPoint.java:53) ~[jetty-io-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runT
> ask(AdaptiveExecutionStrategy.java:421) ~[jetty-util-
> 10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.cons
> umeTask(AdaptiveExecutionStrategy.java:390) ~[jetty-util-
> 10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryP
> roduce(AdaptiveExecutionStrategy.java:277) ~[jetty-util-
> 10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lamb
> da$new$0(AdaptiveExecutionStrategy.java:139) ~[jetty-util-
> 10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.r
> un(ReservedThreadExecutor.java:411) ~[jetty-util-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo
> l.java:933) ~[jetty-util-10.0.12.jar:10.0.12]
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThrea
> dPool.java:1077) ~[jetty-util-10.0.12.jar:10.0.12]
>         at java.lang.Thread.run(Thread.java:829) ~[?:?]
> Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON
> object member with key access_token
>         at
> com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUti
> ls.java:152) ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getString(JSONObjectUtil
> s.java:428) ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.token.AccessTokenUtils.parseValue(AccessToken
> Utils.java:68) ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.token.BearerAccessToken.parse(BearerAccessTok
> en.java:210) ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.token.AccessToken.parse(AccessToken.java:358)
> ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.token.Tokens.parse(Tokens.java:235) ~[oauth2-
> oidc-sdk-9.41.jar:9.41]
>         at
> com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse
> .java:198) ~[oauth2-oidc-sdk-9.41.jar:9.41]
>         at
> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getAccessTokenAndProf
> ilePlain(OAuth2Verificator.java:485) ~[unity-server-oauth-
> 3.11.2.jar:?]
>         at
> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthentica
> tedInput(OAuth2Verificator.java:331) ~[unity-server-oauth-
> 3.11.2.jar:?]
>         ... 48 more
> 2023-06-15T13:20:50,369 [qtp1372725646-3019] INFO 
> unity.server.authn.InteractiveAuthneticationProcessorImpl:
> Authentication failure: AuthenticationProcessorImpl.authnFailed deny
> 
> 
> Best regards,
> Sander
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] ORCID login is failing

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we encountered a problem using ORCID for authentication.
The login is failing an the logs (see below) give an error about
missing access_token and it seems that ORCID is return an unauthorized
message. I checked my settings at ORCID an I do not see issues with the
registered client or in my account. Do you know if they changed
something at the API? We are still running unity 3.11.2.



2023-06-15T13:20:30,649 [qtp1372725646-3068] INFO  unity.server.oauth.RedirectRequestHandler: Starting OAuth redirection to OAuth provider https://orcid.org/oauth/authorize?response_type=code&redirect
_uri=https%3A%2F%2Flogin.helmholtz.de%2Funitygw%2Foauth2ResponseConsumer&state=7d7a2760-5389-433a-a6f1-0bfdd356589b&client_id=APP-FW26H90Q59NZDYOY&scope=%2Fauthenticate&show_login=true
2023-06-15T13:20:50,368 [qtp1372725646-3019] WARN  unity.server.oauth.OAuth2Verificator: Error received. Contents: {"error":"unauthorized","error_description":"An Authentication object was not found i
n the SecurityContext"}

2023-06-15T13:20:50,368 [qtp1372725646-3019] INFO  unity.server.oauth.OAuth2Verificator: OAuth2 authorization code verification or processing failed
pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: Problem during user information retrieval
        at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthenticatedInput(OAuth2Verificator.java:334) ~[unity-server-oauth-3.11.2.jar:?]
        at pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthAuthzResponse(OAuth2Verificator.java:262) ~[unity-server-oauth-3.11.2.jar:?]
        at pl.edu.icm.unity.oauth.client.OAuth2Verificator.processResponse(OAuth2Verificator.java:243) ~[unity-server-oauth-3.11.2.jar:?]
        at pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.processAnswer(RedirectedAuthnState.java:99) ~[unity-server-engine-api-3.11.2.jar:?]
        at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.java:62) ~[unity-server-engine-3.11.2.jar:?]
        at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity-server-engine-3.11.2.jar:?]
        at pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:78) ~[unity-server-web-common-3.11.2.jar:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) ~[jetty-servlet-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) ~[jetty-servlet-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12]
        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:68) ~[unity-server-engine-3.11.2.jar:?]
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:301) ~[jetty-rewrite-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.Server.handle(Server.java:563) ~[jetty-server-10.0.12.jar:10.0.12]
        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:195) ~[unity-server-engine-3.11.2.jar:?]
        at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) ~[jetty-server-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) ~[jetty-io-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:139) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:933) ~[jetty-util-10.0.12.jar:10.0.12]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1077) ~[jetty-util-10.0.12.jar:10.0.12]
        at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key access_token
        at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:152) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getString(JSONObjectUtils.java:428) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.token.AccessTokenUtils.parseValue(AccessTokenUtils.java:68) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.token.BearerAccessToken.parse(BearerAccessToken.java:210) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.token.AccessToken.parse(AccessToken.java:358) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.token.Tokens.parse(Tokens.java:235) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse.java:198) ~[oauth2-oidc-sdk-9.41.jar:9.41]
        at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getAccessTokenAndProfilePlain(OAuth2Verificator.java:485) ~[unity-server-oauth-3.11.2.jar:?]
        at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthenticatedInput(OAuth2Verificator.java:331) ~[unity-server-oauth-3.11.2.jar:?]
        ... 48 more
2023-06-15T13:20:50,369 [qtp1372725646-3019] INFO  unity.server.authn.InteractiveAuthneticationProcessorImpl: Authentication failure: AuthenticationProcessorImpl.authnFailed deny


Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Sander A. <sa....@fz...>]

Dear Krzysztof,
we will bring the information as soon as possible.

Best regards,
Sander

On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote:
> Dear Laura, Sander,
> 
> W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> > Dear Krzysztof, Dear Roman,
> > 
> > we were just about to install unity 3.13.0 and then start testing.
> > To 
> > do this, we first switched from unity 3.11.2 to unity 3.12.0, then
> > to 
> > 3.13.0. After that, we received an application error message when 
> > logging in (see attached screenshot). Unfortunately we could not
> > find 
> > any error message in the stack trace, so we switched back to
> > 3.12.0. 
> > There we got the same error message at login, but then we could
> > also 
> > find an error message in the stack trace. This is also attached as
> > a 
> > txt file. 
> 
> So we have found the problem in 3.12 causing your error. We can fix
> it, 
> no problem, however I don't think it makes a lot of sense: it is a
> minor 
> bug, which will only occur on a database which was run on 3.13, and
> then 
> used in 3.12. This problem on 3.12 is also for sure 100% not related
> to 
> the (serious) sign-in problem you observed on 3.13.
> 
> That said, to investigate the real issue we need to get back to 3.13,
> and diagnose the problem in there. In case of error like in your 
> screenshot, you should rather get a stacktrace or at least ERROR
> message 
> in log. It is possible we have some omission in logging, but
> unlikely.
> 
> Can you please first enable debug logging, then repeat your failing 
> sign-in on 3.13 and inspect log files one more time (or share it with
> us)? We need to find some clues on what is failing. Without access to
> your database it will be the only way forward.
> 
> Best,
> Krzysztof
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Dear Laura, Sander,

W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> Dear Krzysztof, Dear Roman,
>
> we were just about to install unity 3.13.0 and then start testing. To 
> do this, we first switched from unity 3.11.2 to unity 3.12.0, then to 
> 3.13.0. After that, we received an application error message when 
> logging in (see attached screenshot). Unfortunately we could not find 
> any error message in the stack trace, so we switched back to 3.12.0. 
> There we got the same error message at login, but then we could also 
> find an error message in the stack trace. This is also attached as a 
> txt file. 

So we have found the problem in 3.12 causing your error. We can fix it, 
no problem, however I don't think it makes a lot of sense: it is a minor 
bug, which will only occur on a database which was run on 3.13, and then 
used in 3.12. This problem on 3.12 is also for sure 100% not related to 
the (serious) sign-in problem you observed on 3.13.

That said, to investigate the real issue we need to get back to 3.13, 
and diagnose the problem in there. In case of error like in your 
screenshot, you should rather get a stacktrace or at least ERROR message 
in log. It is possible we have some omission in logging, but unlikely.

Can you please first enable debug logging, then repeat your failing 
sign-in on 3.13 and inspect log files one more time (or share it with 
us)? We need to find some clues on what is failing. Without access to 
your database it will be the only way forward.

Best,
Krzysztof

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 7.06.2023 o 11:57, Sander Apweiler pisze:
> Dear Krzysztof,
>
> On Tue, 2023-06-06 at 14:54 +0200, Krzysztof Benedyczak wrote:
>> Dear Laura,
>>
>> W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
>>> Dear Krzysztof, Dear Roman,
>>>
>>> we were just about to install unity 3.13.0 and then start testing.
>>> To
>>> do this, we first switched from unity 3.11.2 to unity 3.12.0, then
>>> to
>>> 3.13.0. After that, we received an application error message when
>>> logging in (see attached screenshot). Unfortunately we could not
>>> find
>>> any error message in the stack trace, so we switched back to
>>> 3.12.0.
>>> There we got the same error message at login, but then we could
>>> also
>>> find an error message in the stack trace. This is also attached as
>>> a
>>> txt file.
>>
>> Thank you for the report. Most likely a regression caused by one of
>> recent big refactorings.
>>
>> Some questions:
>>
>> 1. The DB on which you run 3.12 (and got the attached stacktrace) was
>> used (and possible modified) with 3.13 or not?
> Yes the database was used also on 3.13. It looks like there was no
> modification on 3.13 start up, but I'm not sure
>> 2. If the answer to above is positive: can you restart your test
>> scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12
>> whether the issue is also present on that version?
> Sadly we did not made a database backup before. By starting 3.11.2
> unity throws an error about the supported database version:
>
OK, we will try to find it on our side then, will take more time in such 
situation though. Will keep you posted.

Best,
Krzysztof

Re: [Unity-idm-discuss] Application Error while Logging in

[Sander A. <sa....@fz...>]

Dear Krzysztof,

On Tue, 2023-06-06 at 14:54 +0200, Krzysztof Benedyczak wrote:
> Dear Laura,
> 
> W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> > Dear Krzysztof, Dear Roman,
> > 
> > we were just about to install unity 3.13.0 and then start testing.
> > To 
> > do this, we first switched from unity 3.11.2 to unity 3.12.0, then
> > to 
> > 3.13.0. After that, we received an application error message when 
> > logging in (see attached screenshot). Unfortunately we could not
> > find 
> > any error message in the stack trace, so we switched back to
> > 3.12.0. 
> > There we got the same error message at login, but then we could
> > also 
> > find an error message in the stack trace. This is also attached as
> > a 
> > txt file. 
> 
> 
> Thank you for the report. Most likely a regression caused by one of 
> recent big refactorings.
> 
> Some questions:
> 
> 1. The DB on which you run 3.12 (and got the attached stacktrace) was
> used (and possible modified) with 3.13 or not?
Yes the database was used also on 3.13. It looks like there was no
modification on 3.13 start up, but I'm not sure
> 
> 2. If the answer to above is positive: can you restart your test 
> scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12 
> whether the issue is also present on that version?
Sadly we did not made a database backup before. By starting 3.11.2
unity throws an error about the supported database version:

The database schema version 18 is newer then supported by this version
of the server. Please upgrade the server software.

Best regards,
Sander
> 
> Answers to those questions should help us a lot.
> 
> Thank you,
> 
> Krzysztof
> 
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Dear Laura,

W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> Dear Krzysztof, Dear Roman,
>
> we were just about to install unity 3.13.0 and then start testing. To 
> do this, we first switched from unity 3.11.2 to unity 3.12.0, then to 
> 3.13.0. After that, we received an application error message when 
> logging in (see attached screenshot). Unfortunately we could not find 
> any error message in the stack trace, so we switched back to 3.12.0. 
> There we got the same error message at login, but then we could also 
> find an error message in the stack trace. This is also attached as a 
> txt file. 


Thank you for the report. Most likely a regression caused by one of 
recent big refactorings.

Some questions:

1. The DB on which you run 3.12 (and got the attached stacktrace) was 
used (and possible modified) with 3.13 or not?

2. If the answer to above is positive: can you restart your test 
scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12 
whether the issue is also present on that version?

Answers to those questions should help us a lot.

Thank you,

Krzysztof

[Unity-idm-discuss] Application Error while Logging in

[Laura H. <l....@fz...>]

Dear Krzysztof, Dear Roman,

we were just about to install unity 3.13.0 and then start testing. To do 
this, we first switched from unity 3.11.2 to unity 3.12.0, then to 
3.13.0. After that, we received an application error message when 
logging in (see attached screenshot). Unfortunately we could not find 
any error message in the stack trace, so we switched back to 3.12.0. 
There we got the same error message at login, but then we could also 
find an error message in the stack trace. This is also attached as a txt 
file.

Best regards,

Laura Hofer
-- 
Juelich Supercomputing Centre
Institute for Advanced Simulation
Forschungszentrum Juelich GmbH
52425 Juelich, Germany
E-Mail: l....@fz...
Phone: +49 2461 61-6576
Fax: +49 2461 61-6656

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] enforcing 2FA

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 31.05.2023 o 11:30, Sander Apweiler pisze:
> Hi Krzysztof,
> we are just using two realms. The adminRealm for console endpoint and
> the defaultRealm for all other endpoints. But we could create a third
> one dedicated to the home endpoint for the oauth clients.

Hm. So what are the two flows in which you expect to have different authN?

Let's say you create one realm for the Home endpoint. This realm will 
require MFA. Then all users accessing this endpoint will need to 
authenticate with MFA. That is easy. But I still don't understand your 
setup.

I don't know what do you mean by "normal authentication of the client in 
AuthZ code flow".  Please be more verbose. What are the authn options? 
Wat are the endpoints in question (just /home or /home and OAuth IdP?)?


Krzysztof

> Best regards,
> Sander
>
> On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
>>> Hi Krzysztof, hi Roman
>>> we are planning to enforce 2FA on /home endpoint. Can you confirm
>>> that
>>> Oauth admins would need to enter second factor if they log in at
>>> this
>>> endpoint with the client credentials but the normal authentication
>>> of
>>> the client in Authorization code flow is not effected.
>> It depends on details of your setup. Can you provide your envisioned
>> realms setup and what is the assignment of home and oauth endpoints
>> to
>> realms?
>>
>> Best,
>> Krzysztof
>>
>>
>>
>>
>> _______________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] enforcing 2FA

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we are just using two realms. The adminRealm for console endpoint and
the defaultRealm for all other endpoints. But we could create a third
one dedicated to the home endpoint for the oauth clients.

Best regards,
Sander

On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman
> > we are planning to enforce 2FA on /home endpoint. Can you confirm
> > that
> > Oauth admins would need to enter second factor if they log in at
> > this
> > endpoint with the client credentials but the normal authentication
> > of
> > the client in Authorization code flow is not effected.
> 
> It depends on details of your setup. Can you provide your envisioned 
> realms setup and what is the assignment of home and oauth endpoints
> to 
> realms?
> 
> Best,
> Krzysztof
> 
> 
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] enforcing 2FA

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 30.05.2023 o 13:06, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman
> we are planning to enforce 2FA on /home endpoint. Can you confirm that
> Oauth admins would need to enter second factor if they log in at this
> endpoint with the client credentials but the normal authentication of
> the client in Authorization code flow is not effected.

It depends on details of your setup. Can you provide your envisioned 
realms setup and what is the assignment of home and oauth endpoints to 
realms?

Best,
Krzysztof

[Unity-idm-discuss] enforcing 2FA

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman
we are planning to enforce 2FA on /home endpoint. Can you confirm that
Oauth admins would need to enter second factor if they log in at this
endpoint with the client credentials but the normal authentication of
the client in Authorization code flow is not effected.

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.13.0 release

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce availability of a new Unity release.

As always all relevant links are available at 
https://unity-idm.eu/releases/release-3-13-0/

The 3.13.0 release brings implementation of several OSS community 
requests. The main development effort was on technical debt reduction, 
and at the same time preparation for the changes planned in Unity 4. 
Effects of that work are not visible today, will add a value upon the 
next major release.


      Registration form information for remote signup

Registration forms can have a separate 2nd stage form information. This 
information is shown, together with separately configured title after 
returning from remote IdP, during signup with remote identity.


      Support for Unity certificate rollover for SAML IdP and SP

Unity SAML IdP allows for configuring additional credential. This 
credential is advertised in generated metadata as another certificate. 
It is useful for IdP certificate roll-over, when, for a short time, 
service providers in federation should learn a new certificate, and 
prepare to accept it.

Similar, but more complex, feature was added to SAML authenticator (an 
SP in SAML nomenclature). It is possible to configure additional 
credential which can be used to decrypt incoming messages (typically 
authentication or attribute assertions), as an alternative to the main 
credential. What is more it is possible to control, whether this 
alternative credential is included in generated SAML metadata or not.

Configuration in the case of SP is more complex as the certificate 
rollover process is also more involving. Typically admin want to first 
advertise a new certificate in metadata, and be ready to accept message 
encrypted with it (step 1). Next the credentials are swapped and the old 
credential is removed from metadata, however decryption with it is still 
possible (step 2).


      User attributes as claims in OAuth JWT tokens

OAuth clients may requests putting user claims in OAuth access token (if 
is issued as JWT) and/or in OIDC id token.


      Other improvements

  * Update of realm is automatically picked by endpoints using it.
    Before the endpoints had to be manually reloaded.
  * For certain 2nd facto credentials like OTP, invalid try to provide
    it is not resulting in reset of the whole authentication and return
    to the first factor. Instead it is possible to provide the 2nd
    factor credential again.
  * UpMan invitations grid won’t crash, when some invitations has not
    been sent yet


Best regards,
Krzysztof

Re: [Unity-idm-discuss] JWK endpoint responses 400 using accept header

[Sander A. <sa....@fz...>]

Hello Roman,
thank you very much for jumping in. Thanks also for the explenation. A
workaround is not needed anymore. The service provider did an update of
the underlying libraries and now it is working. I got the confirmation
over the weekend and had no time to forward it.

Best regards,
Sander

On Tue, 2023-05-02 at 11:53 +0200, Roman Krysiński wrote:
> Hello Sander,
> 
> Krzysztof is out of the office for some time, so let me address your
> question.
> 
> The "Accept" header is used by the client to indicate the MIME types
> of content that the client is able to understand and process. The
> purpose of the "Accept" header is to allow the client to negotiate
> with the server and receive content in a format that it can handle.
> The implementation of JWK produces data in "application/jwk-set+json"
> MIME type, thus the problem. This type was explicitly set by
> Krzysztof, likely based on RFC (likely, because he is not here to
> confirm).
> 
> I'm not aware of any workaround that could be applied at Unity site
> to overcome this issue.
> 
> Best regards,
> Roman
>  
> 
> śr., 26 kwi 2023 o 11:55 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Hi Krzysztof,
> > we have got a OIDC client with has some trouble in the integration.
> > The
> > used software eduMEET adds an "Accept: application/json" header to
> > communication with jwk endpoint. Testing it with curl commands it
> > seems
> > that unity does not support this:
> > 
> > with Accept-Header:
> > % curl -i -H "Accept: application/json"
> > 'https://login-dev.helmholtz.de/oauth2/jwk'
> > HTTP/1.1 400 Bad Request
> > Date: Tue, 25 Apr 2023 19:02:21 GMT
> > Strict-Transport-Security: max-age=31536000; includeSubDomains
> > X-Frame-Options: DENY
> > Content-Type: application/json
> > Content-Length: 91
> > 
> > {"error_description":"Unexpected server error; Server engine
> > error","error":"server_error"}
> > 
> > 
> > without Accept-Header:
> > 
> > % curl -i 'https://login-dev.helmholtz.de/oauth2/jwk'
> > HTTP/1.1 200 OK
> > Date: Tue, 25 Apr 2023 19:02:43 GMT
> > Strict-Transport-Security: max-age=31536000; includeSubDomains
> > X-Frame-Options: DENY
> > Content-Type: application/jwk-set+json;charset=UTF-8
> > Vary: Accept-Encoding
> > Content-Length: 396
> > 
> > {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvI
> > GdDI
> > _iiZC-
> > w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5
> > vFzQ
> > 4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2
> > p8yb
> > uL-
> > HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiK
> > PhmC
> > u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY8
> > 4bNI
> > nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]}
> > 
> > Is this intended by you and do you have any idea of a workaround to
> > integrate the software?
> > 
> > I didn't find something in the unity manual about this issue and it
> > seems that the OIDC standard did not cover this in the token
> > validation.
> > 
> > Best regards,
> > Sander
> > 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] JWK endpoint responses 400 using accept header

[Roman K. <ro...@un...>]

Hello Sander,

Krzysztof is out of the office for some time, so let me address your
question.

The "Accept" header is used by the client to indicate the MIME types of
content that the client is able to understand and process. The purpose of
the "Accept" header is to allow the client to negotiate with the server and
receive content in a format that it can handle.
The implementation of JWK produces data in "application/jwk-set+json"
MIME type, thus the problem. This type was explicitly set by Krzysztof,
likely based on RFC <https://www.rfc-editor.org/rfc/rfc7517> (likely,
because he is not here to confirm).

I'm not aware of any workaround that could be applied at Unity site to
overcome this issue.

Best regards,
Roman


śr., 26 kwi 2023 o 11:55 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysztof,
> we have got a OIDC client with has some trouble in the integration. The
> used software eduMEET adds an "Accept: application/json" header to
> communication with jwk endpoint. Testing it with curl commands it seems
> that unity does not support this:
>
> with Accept-Header:
> % curl -i -H "Accept: application/json"
> 'https://login-dev.helmholtz.de/oauth2/jwk'
> HTTP/1.1 400 Bad Request
> Date: Tue, 25 Apr 2023 19:02:21 GMT
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Frame-Options: DENY
> Content-Type: application/json
> Content-Length: 91
>
> {"error_description":"Unexpected server error; Server engine
> error","error":"server_error"}
>
>
> without Accept-Header:
>
> % curl -i 'https://login-dev.helmholtz.de/oauth2/jwk'
> HTTP/1.1 200 OK
> Date: Tue, 25 Apr 2023 19:02:43 GMT
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Frame-Options: DENY
> Content-Type: application/jwk-set+json;charset=UTF-8
> Vary: Accept-Encoding
> Content-Length: 396
>
> {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvIGdDI
> _iiZC-
> w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5vFzQ
> 4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2p8yb
> uL-
> HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiKPhmC
> u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY84bNI
> nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]}
>
> Is this intended by you and do you have any idea of a workaround to
> integrate the software?
>
> I didn't find something in the unity manual about this issue and it
> seems that the OIDC standard did not cover this in the token
> validation.
>
> Best regards,
> Sander
>
> --
> Federated Systems and Data
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
> Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] JWK endpoint responses 400 using accept header

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we have got a OIDC client with has some trouble in the integration. The
used software eduMEET adds an "Accept: application/json" header to
communication with jwk endpoint. Testing it with curl commands it seems
that unity does not support this:

with Accept-Header:
% curl -i -H "Accept: application/json"
'https://login-dev.helmholtz.de/oauth2/jwk'
HTTP/1.1 400 Bad Request
Date: Tue, 25 Apr 2023 19:02:21 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 91

{"error_description":"Unexpected server error; Server engine
error","error":"server_error"}


without Accept-Header:

% curl -i 'https://login-dev.helmholtz.de/oauth2/jwk'
HTTP/1.1 200 OK
Date: Tue, 25 Apr 2023 19:02:43 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/jwk-set+json;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 396

{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvIGdDI
_iiZC-
w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5vFzQ
4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2p8yb
uL-
HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiKPhmC
u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY84bNI
nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]}

Is this intended by you and do you have any idea of a workaround to
integrate the software?

I didn't find something in the unity manual about this issue and it
seems that the OIDC standard did not cover this in the token
validation.

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] User can not update their email addresses

[Krzysztof B. <kb...@un...>]

W dniu 21.04.2023 o 07:17, Sander Apweiler pisze:
> Good morning Krzysztof,
> ok I understood your update workflow. Because this is not the common
> way how services update the email addresses of the users it would be
> great if you can make a section in the manual about this.

Sure, no problem

Re: [Unity-idm-discuss] NullPointer in upman invitation

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I tried it at the same time and got the user response a minute ago.
Since all invitations had send and expiration date, I deleted all
invitations and the user responded that upman is working again.

Best regards,
Sander

On Fri, 2023-04-21 at 09:09 +0200, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 21.04.2023 o 07:13, Sander Apweiler pisze:
> > Good morning Krzysztof,
> > good to hear that you identified the problem, even if you could not
> > reproduce it. Do you know a way how I could solve the problem, that
> > the
> > user could further manage the project? E.g. deleting the
> > invitations
> > from this project.
> 
> So if the problem persists... it is better, as this is what I can 
> explain :-)
> 
> You can try to open invitations list from admin's console, and look
> for 
> invitations which has no send time set (so were not sent, even once)
> and 
> are inviting to the group of the upman project. Removing such 
> invitation(s) will help.
> 
> Best,
> Krzysztof
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] NullPointer in upman invitation

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 21.04.2023 o 07:13, Sander Apweiler pisze:
> Good morning Krzysztof,
> good to hear that you identified the problem, even if you could not
> reproduce it. Do you know a way how I could solve the problem, that the
> user could further manage the project? E.g. deleting the invitations
> from this project.

So if the problem persists... it is better, as this is what I can 
explain :-)

You can try to open invitations list from admin's console, and look for 
invitations which has no send time set (so were not sent, even once) and 
are inviting to the group of the upman project. Removing such 
invitation(s) will help.

Best,
Krzysztof

Re: [Unity-idm-discuss] User can not update their email addresses

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
ok I understood your update workflow. Because this is not the common
way how services update the email addresses of the users it would be
great if you can make a section in the manual about this. We will
update our configuration and extend the documentation to our users.

Best regards,
Sander

On Thu, 2023-04-20 at 11:22 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.04.2023 o 11:45, Sander Apweiler pisze:
> > Hi Krzysztof,
> > we got the feedback that users where not able to update their email
> > addresses because they are not validated. We are running unity
> > 3.11.2.
> > The attribute is verifiableEmail type and self modifiable. The
> > users
> > are able to enter new email address but when they save them the
> > attached error is shown. I would assume that a new verification
> > email
> > send.
> 
> We don't support such flow, it is pretty risky. Suggested flow is as 
> follows:
> 
> 1. user adds *another* email, next to the existing one. Confirmation
> is 
> sent.
> 2. user confirms the new email address
> 3. then user can delete the old one
> 
> This flow ensures that user won't lock herself out, i.e. land in a 
> situation w/o any valid email (what may be a problem in many cases: 
> notifications, system consistency, credential reset). Surely if the
> flow 
> described above shall be supported, attribute type needs to accept at
> least 2 values.
> 
> We can make this more flexible (e.g. have this validation
> configurable, 
> or more sophisticated, taking into account also email identities of
> the 
> user), but that would need development.
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] NullPointer in upman invitation

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good to hear that you identified the problem, even if you could not
reproduce it. Do you know a way how I could solve the problem, that the
user could further manage the project? E.g. deleting the invitations
from this project.

Best regards,
Sander


On Thu, 2023-04-20 at 11:10 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 19.04.2023 o 07:51, Sander Apweiler pisze:
> > Dear Krzysztof,
> > 
> > we have in one upman managed group the problem that a NullPointer
> > exception is raised if the user switched to invitations and tries
> > to
> > create a new one. I added the stack trace. Sadly I didn't see
> > anything
> > else in the log before, since we reduced the loglevel to see if the
> > system has an issue with IO, which we can eliminate as cause for
> > slow
> > unity.
> 
> Hm, on one hand I can't reproduce it on our side, but also the bug is
> clear: the grid with invitations will crash if at least one
> invitation 
> has no "last sent time" set. That's a bug and we will fix it. I
> though 
> don't know how this could happen in the flow you are describing: when
> user invites from upman, the invitation is sent automatically, and
> only 
> after the grid is refreshed. I can think of some very unlikely 
> situations only (two users are adding an invitation,  one who is
> first 
> hits create, the grid is refreshed and the invitation of the other
> user 
> is created but not yet sent. Very unlikely, so perhaps there is some 
> other situation in which this can happen...
> 
> Anyway the bug is clear, as even an admin can create an invitation by
> hand, w/o sending it. Will be fixed in the next release.
> 
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] NullPointer in upman invitation

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.04.2023 o 07:51, Sander Apweiler pisze:
> Dear Krzysztof,
>
> we have in one upman managed group the problem that a NullPointer
> exception is raised if the user switched to invitations and tries to
> create a new one. I added the stack trace. Sadly I didn't see anything
> else in the log before, since we reduced the loglevel to see if the
> system has an issue with IO, which we can eliminate as cause for slow
> unity.

Hm, on one hand I can't reproduce it on our side, but also the bug is 
clear: the grid with invitations will crash if at least one invitation 
has no "last sent time" set. That's a bug and we will fix it. I though 
don't know how this could happen in the flow you are describing: when 
user invites from upman, the invitation is sent automatically, and only 
after the grid is refreshed. I can think of some very unlikely 
situations only (two users are adding an invitation,  one who is first 
hits create, the grid is refreshed and the invitation of the other user 
is created but not yet sent. Very unlikely, so perhaps there is some 
other situation in which this can happen...

Anyway the bug is clear, as even an admin can create an invitation by 
hand, w/o sending it. Will be fixed in the next release.


Best,
Krzysztof

Re: [Unity-idm-discuss] User can not update their email addresses

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.04.2023 o 11:45, Sander Apweiler pisze:
> Hi Krzysztof,
> we got the feedback that users where not able to update their email
> addresses because they are not validated. We are running unity 3.11.2.
> The attribute is verifiableEmail type and self modifiable. The users
> are able to enter new email address but when they save them the
> attached error is shown. I would assume that a new verification email
> send.

We don't support such flow, it is pretty risky. Suggested flow is as 
follows:

1. user adds *another* email, next to the existing one. Confirmation is 
sent.
2. user confirms the new email address
3. then user can delete the old one

This flow ensures that user won't lock herself out, i.e. land in a 
situation w/o any valid email (what may be a problem in many cases: 
notifications, system consistency, credential reset). Surely if the flow 
described above shall be supported, attribute type needs to accept at 
least 2 values.

We can make this more flexible (e.g. have this validation configurable, 
or more sophisticated, taking into account also email identities of the 
user), but that would need development.

Best,
Krzysztof

[Unity-idm-discuss] NullPointer in upman invitation

[Sander A. <sa....@fz...>]

Dear Krzysztof,

we have in one upman managed group the problem that a NullPointer
exception is raised if the user switched to invitations and tries to
create a new one. I added the stack trace. Sadly I didn't see anything
else in the log before, since we reduced the loglevel to see if the
system has an issue with IO, which we can eliminate as cause for slow
unity.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------