unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] user registration successful although mandatory attributes not provided

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 23.08.2021 o 09:30, Krzysztof Benedyczak pisze:
> W dniu 23.08.2021 o 07:29, Sander Apweiler pisze:
>> Good morning Krzysztof,
>> I'm not sure for all, but atleast for some I know what they did:
>> - Browse to /home endpoint
>> - Select external IdP
>> - Authenticate at external IdP
>> - Got register pop-up
>> - Register account
>>
>> I guess, but I have no hints for it, that some other users went to SAML
>> or OAuth endpoint instead of userhome endpoint.
>
> OK, so that's the unknown remote user flow. We will re-check that for 
> any regressions. 

I've retested that scenario manually and it seems to block such 
situation as before. I.e. user who has no remote attribute, and this 
attribute is required in the form as a remote provided, can't even see 
the form.

Maybe you have hit some edge case here? Can you please check the exact 
data that came from the remote IdP (or more precisely - to what it was 
mapped by the input profile) and then compare it against form config?

Cheers,
Krzysztof

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Krzysztof B. <kb...@un...>]

Dear Zoltan,


W dniu 25.08.2021 o 15:34, ba...@aw... pisze:
> Dear Krzysztof,
>
>> One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as >in Unity you can have multiple password credentials).
> Could you please describe how to do this step-by-step? I'm afraid I do not speak the Unity language yet.
> Also, in my first email I linked screenshots of the whole configuration. Can you check whether the authenticator is linked to the correct credential?
> Perhaps you could point me to the relevant part in the documentation?

One of the screenshots you have shared shows that your OAuth clients are 
configured to authenticate with the *authenticator* called 'pwd'.

Now this authenticator is defining how to check the client's credential. 
In Authentication -> Facilities you will find the list of your 
authenticators. Locate entry 'pwd' there and check details. It should be 
an authenticator of type 'password' (i.e. checking passwords stored 
locally). And in its configuration there will be a password credential 
selected, which is used by this authenticator.  Note it down.

Next check if your client (in Directory browser) has this particular  
password credential set. Note that you can define multiple password 
credentials for your system (e.g. one for admins with high security 
requirements, one for ordinary users with lower requirements). Also 
unity defines one by its own (used to for the initial admin's password). 
So it is likely you have >1, and make sure the authenticator is using 
the correct one.

HTH,
Krzysztof

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[<ba...@aw...>]

Dear Krzysztof,

>One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as >in Unity you can have multiple password credentials).

Could you please describe how to do this step-by-step? I'm afraid I do not speak the Unity language yet.
Also, in my first email I linked screenshots of the whole configuration. Can you check whether the authenticator is linked to the correct credential? 
Perhaps you could point me to the relevant part in the documentation?


-----Original Message-----
From: Krzysztof Benedyczak <kb...@un...> 
Sent: Tuesday, August 17, 2021 2:36 PM
To: Roman Krysiński <ro...@un...>; ba...@aw...
Cc: Unity ML <uni...@li...>
Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

Hi,

W dniu 17.08.2021 o 14:08, Roman Krysiński pisze:
> Hi Zoltan,
>
> > In the meantime, ideas about what could be possible misconfigured
> and/or working configuration examples (both Unity and Jupyter side) 
> are welcomed.
> Note that I was not using Jupyter for my tests, I just configured 
> unity according to your screenshots and used https://oauth.tools/ 
> <https://oauth.tools/> for testing, Please check whether clientId and 
> secret configured in jupyterhub_config.py are the same with those 
> generated by Unity, or regenerate client credentials in Unity and 
> update Jupyter config file.
>
> As an aside, I noticed that Jupyter under the hood is using Tornado as 
> a networking library, consider enabling the Tornado lib logging to see 
> more details in the Jupyter log:
> https://www.tornadoweb.org/en/stable/log.html
> <https://www.tornadoweb.org/en/stable/log.html>.
>

One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as in Unity you can have multiple password credentials).

You can also try to use command line tool as curl to make a request to the token endpoint in unity. Perhaps you won't be able to easily provide proper token, but at least you should be able to authenticate and get some OAuth-level error instead of an early authN error.  This would confirm that correct credential is configured on Unity side.

Best,
Krzysztof

[Unity-idm-discuss] 3.5.4 release, 3.5.3 skipped

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

Two news. First of all the release number 3.5.3 was skipped, due to 
problems with our build process.

The next release after 3.5.2 is therefore v3.5.4. It was already made 
public, and contains two bug fixes in UpMan endpoint.

See https://www.unity-idm.eu/downloads/ for more details.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Emails to administrators in enquiry forms

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the swift reply. I already did this for a quick workaround.
So now it is the solution ;)

Cheers,
Sander

On Mon, 2021-08-23 at 09:25 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 23.08.2021 o 07:36, Sander Apweiler pisze:
> > Good morning Krzysztof,
> > end of last week we tested the emails to administrators about new
> > filled enquiries in the group membership update enquiry. We
> > encountered, that the email was send to all users from the group
> > and
> > not only to users with some administrative role. Of course there is
> > no
> > adminsitrator/admin role in unity but a set of roles with
> > administrativ
> > roles (System manager, Contents manager, Manager, projectsAdmin).
> > 
> > Is it intended that the email is send to all users in the entered
> > group
> > and not only to users with an administrativ role?
> > 
> Yes, it is by design. It may be the case that user w/o any special 
> rights should get emails (e.g. an unity entity representing some
> mailing 
> list address).
> 
> So the best is to have a dedicated group with people to be notified.
> 
> Cheers,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] user registration successful although mandatory attributes not provided

[Krzysztof B. <kb...@un...>]

W dniu 23.08.2021 o 07:29, Sander Apweiler pisze:
> Good morning Krzysztof,
> I'm not sure for all, but atleast for some I know what they did:
> - Browse to /home endpoint
> - Select external IdP
> - Authenticate at external IdP
> - Got register pop-up
> - Register account
>
> I guess, but I have no hints for it, that some other users went to SAML
> or OAuth endpoint instead of userhome endpoint.

OK, so that's the unknown remote user flow. We will re-check that for 
any regressions.

Thanks,
Krzysztof

Re: [Unity-idm-discuss] Emails to administrators in enquiry forms

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 23.08.2021 o 07:36, Sander Apweiler pisze:
> Good morning Krzysztof,
> end of last week we tested the emails to administrators about new
> filled enquiries in the group membership update enquiry. We
> encountered, that the email was send to all users from the group and
> not only to users with some administrative role. Of course there is no
> adminsitrator/admin role in unity but a set of roles with administrativ
> roles (System manager, Contents manager, Manager, projectsAdmin).
>
> Is it intended that the email is send to all users in the entered group
> and not only to users with an administrativ role?
>
Yes, it is by design. It may be the case that user w/o any special 
rights should get emails (e.g. an unity entity representing some mailing 
list address).

So the best is to have a dedicated group with people to be notified.

Cheers,
Krzysztof

[Unity-idm-discuss] Emails to administrators in enquiry forms

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
end of last week we tested the emails to administrators about new
filled enquiries in the group membership update enquiry. We
encountered, that the email was send to all users from the group and
not only to users with some administrative role. Of course there is no
adminsitrator/admin role in unity but a set of roles with administrativ
roles (System manager, Contents manager, Manager, projectsAdmin).

Is it intended that the email is send to all users in the entered group
and not only to users with an administrativ role?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] user registration successful although mandatory attributes not provided

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
I'm not sure for all, but atleast for some I know what they did:
- Browse to /home endpoint
- Select external IdP
- Authenticate at external IdP
- Got register pop-up
- Register account

I guess, but I have no hints for it, that some other users went to SAML
or OAuth endpoint instead of userhome endpoint.

Cheers,
Sander

On Fri, 2021-08-20 at 14:50 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 20.08.2021 o 14:07, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > sorry for bothering you again, but we encountered another problem.
> > In
> > registration forms we have some mandatory attributes, which must
> > provided by the remote IdP (config in screenshot). Is it intended,
> > that
> > the registration is succesful, although mandatory attributes are
> > missing? If I remember correctly in past this was not the case.
> > 
> AFAIR nothing has changed wrt that, so your assumption looks correct.
> We 
> verify that.
> 
> Can you please write in what flow this form is used? I.e. by
> invitation, 
> shown to unknown remote users, users enter it using well-known link,
> ...?
> 
> Thanks,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] user registration successful although mandatory attributes not provided

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.08.2021 o 14:07, Sander Apweiler pisze:
> Hi Krzysztof,
>
> sorry for bothering you again, but we encountered another problem. In
> registration forms we have some mandatory attributes, which must
> provided by the remote IdP (config in screenshot). Is it intended, that
> the registration is succesful, although mandatory attributes are
> missing? If I remember correctly in past this was not the case.
>
AFAIR nothing has changed wrt that, so your assumption looks correct. We 
verify that.

Can you please write in what flow this form is used? I.e. by invitation, 
shown to unknown remote users, users enter it using well-known link, ...?

Thanks,
Krzysztof

Re: [Unity-idm-discuss] configuration lost after restart

[Krzysztof B. <kb...@un...>]

W dniu 19.08.2021 o 12:40, Sander Apweiler pisze:
> We don't run any groovy scripts or API calls here.
>
> I will write down when I make online changes and check after reboots if
> they are still in place. When I can limit the time frame where it
> happens, I let you know.
>
> But at least the loss of attribute classes information happened more
> than once.

Sounds reasonable - we need at least some rough hint on when this could 
be triggered.

Cheers,
Krzysztof

[Unity-idm-discuss] user registration successful although mandatory attributes not provided

[Sander A. <sa....@fz...>]

Hi Krzysztof,

sorry for bothering you again, but we encountered another problem. In
registration forms we have some mandatory attributes, which must
provided by the remote IdP (config in screenshot). Is it intended, that
the registration is succesful, although mandatory attributes are
missing? If I remember correctly in past this was not the case.

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configuration lost after restart

[Sander A. <sa....@fz...>]

Hi Krzysztof,

On Thu, 2021-08-19 at 12:28 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 19.08.2021 o 08:32, Sander Apweiler pisze:
> > Good morning Krzysztof, all,
> > 
> > we encountered a problem with configuration loss after restarts. We
> > are
> > using the configuration files everywhere where it is possible
> > because
> > we are using puppet as configuration management service.
> > 
> > The configuration loss we encountered is e.g.
> > - attached attribute classes
> > - attribute statements
> > 
> > If there is a large timeframe between changes and restart, they are
> > kept. So it is difficult to reproduce this problem.
> 
> That sounds as a very serious problem, however doesn't ring any bell.
> Attribute classes and statements as attached to groups can be only 
> stored to and loaded from DB. So I don't think that configuration
> files 
> matter here. There is also no write-cache that could trigger such 
> situation. I would be less confident in case of objects that are
> stored 
> in DB but can be also reloaded from config files, but that's not the 
> case here.
> 
> I'd investigate whether perhaps you have some DB migration policy
> which 
> looses some data written recently? 
I don't think so. We use a local mariadb instance only for unity with
nightly db dumps as backup.
> Or maybe some of the data (e.g. 
> groups) are re-initialized on each restart with either groovy script
> or 
> via REST? In such case bugs in such automation may overwrite what is
> in DB.
We don't run any groovy scripts or API calls here.

I will write down when I make online changes and check after reboots if
they are still in place. When I can limit the time frame where it
happens, I let you know.

But at least the loss of attribute classes information happened more
than once. 

Cheers,
Sander
> 
> HTHm
> Krzysztof
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configuration lost after restart

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.08.2021 o 08:32, Sander Apweiler pisze:
> Good morning Krzysztof, all,
>
> we encountered a problem with configuration loss after restarts. We are
> using the configuration files everywhere where it is possible because
> we are using puppet as configuration management service.
>
> The configuration loss we encountered is e.g.
> - attached attribute classes
> - attribute statements
>
> If there is a large timeframe between changes and restart, they are
> kept. So it is difficult to reproduce this problem.

That sounds as a very serious problem, however doesn't ring any bell. 
Attribute classes and statements as attached to groups can be only 
stored to and loaded from DB. So I don't think that configuration files 
matter here. There is also no write-cache that could trigger such 
situation. I would be less confident in case of objects that are stored 
in DB but can be also reloaded from config files, but that's not the 
case here.

I'd investigate whether perhaps you have some DB migration policy which 
looses some data written recently? Or maybe some of the data (e.g. 
groups) are re-initialized on each restart with either groovy script or 
via REST? In such case bugs in such automation may overwrite what is in DB.

HTHm
Krzysztof

[Unity-idm-discuss] configuration lost after restart

[Sander A. <sa....@fz...>]

Good morning Krzysztof, all,

we encountered a problem with configuration loss after restarts. We are
using the configuration files everywhere where it is possible because
we are using puppet as configuration management service.

The configuration loss we encountered is e.g.
- attached attribute classes
- attribute statements

If there is a large timeframe between changes and restart, they are
kept. So it is difficult to reproduce this problem.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Setting up group membership request in account update tab

[Sander A. <sa....@fz...>]

Hi Krzystof,

On Wed, 2021-08-18 at 09:44 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.08.2021 o 08:44, Sander Apweiler pisze:
> > Good morning all,
> > we stock in another problem. The users are not added to the group.
> > The
> > problem here is the missing addToGroup statement in the automation
> > tab.
> > But is there also an action to self removal from the group?
> 
> Let me first confirm I understand your scenario. So you are trying to
> setup an enquiry, visible in user's home endpoint, where users can 
> either join or leave some groups?
> 
> If that's the case then first of all I'm not sure if you need
> addToGroup 
> in automation. The groups should be updated automatically after the 
> enquiry request is accepted. So maybe you just need one automation 
> action to auto-accept the enquiry? Without that each enquiry needs to
> be 
> manually accepted by an admin.
In this case it is wanted that the admin validates the requests. The
admin is just to lazy for collecting the email addresses and send
invitations.
> 
> The second part is about leaving. As of now Unity doesn't support via
> the enquiry form leaving groups (as well as removing attributes or 
> dropping identities or credentials). This would be a new feature that
> we 
> would need to design first. Perhaps would need a "sync" mode for a 
> multi-selectable group. I.e. in such 'sync' mode unity would take all
> groups matching a group wildcard, and add/remove membership in those 
> groups to match the selected ones.
Ok. Also fine that it is not possible. Most important is the join
request via enquiry.

Cheers,
Sander
> 
> Cheers,
> Krzysztof
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Setting up group membership request in account update tab

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.08.2021 o 08:44, Sander Apweiler pisze:
> Good morning all,
> we stock in another problem. The users are not added to the group. The
> problem here is the missing addToGroup statement in the automation tab.
> But is there also an action to self removal from the group?

Let me first confirm I understand your scenario. So you are trying to 
setup an enquiry, visible in user's home endpoint, where users can 
either join or leave some groups?

If that's the case then first of all I'm not sure if you need addToGroup 
in automation. The groups should be updated automatically after the 
enquiry request is accepted. So maybe you just need one automation 
action to auto-accept the enquiry? Without that each enquiry needs to be 
manually accepted by an admin.

The second part is about leaving. As of now Unity doesn't support via 
the enquiry form leaving groups (as well as removing attributes or 
dropping identities or credentials). This would be a new feature that we 
would need to design first. Perhaps would need a "sync" mode for a 
multi-selectable group. I.e. in such 'sync' mode unity would take all 
groups matching a group wildcard, and add/remove membership in those 
groups to match the selected ones.

Cheers,
Krzysztof

Re: [Unity-idm-discuss] Setting up group membership request in account update tab

[Sander A. <sa....@fz...>]

Good morning all,
we stock in another problem. The users are not added to the group. The
problem here is the missing addToGroup statement in the automation tab.
But is there also an action to self removal from the group?

Cheers,
Sander

On Tue, 2021-08-10 at 09:29 +0200, Sander Apweiler wrote:
> Hi Piotr,
> this was the missing action. Thanks for the hint.
> 
> Cheers,
> Sander
> 
> On Tue, 2021-08-10 at 09:24 +0200, Piotr Piernik wrote:
> > Hi Sander
> > This form should be added to "Enabled enquiry forms" in home
> > service/endpoint configuration. 
> > Could you please check this before we start investigate problem?
> > Cheers
> > Piotr
> > 
> > W dniu 10.08.2021 o 08:46, Sander Apweiler pisze:
> >  
> > > Good morning Krzysztof,
> > > In past I set up groups with join requests from user in the
> > > account
> > > updated tab in userhome. If I remember correctly the
> > > MembershipUpdateEnquiry is used for this. I created now such an
> > > enquiry
> > > using the wizzard (not adopted), but the account update tab is
> > > not
> > > visible in userhome. I did not disable this wie disable
> > > Components
> > > parameter. Did I miss something else?
> > > 
> > > Cheers,
> > > Sander
> > >  
> > >  
> > >  
> > >  
> > > _______________________________________________
> > > Unity-idm-discuss mailing list
> > > Uni...@li...
> > > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 17.08.2021 o 14:08, Roman Krysiński pisze:
> Hi Zoltan,
>
> > In the meantime, ideas about what could be possible misconfigured 
> and/or working configuration examples (both Unity and Jupyter side) 
> are welcomed.
> Note that I was not using Jupyter for my tests, I just configured 
> unity according to your screenshots and used https://oauth.tools/ 
> <https://oauth.tools/> for testing,
> Please check whether clientId and secret configured in 
> jupyterhub_config.py are the same with those generated by Unity, or 
> regenerate client credentials in Unity and update Jupyter config file.
>
> As an aside, I noticed that Jupyter under the hood is using Tornado as 
> a networking library, consider enabling the Tornado lib logging to see 
> more details in the Jupyter log: 
> https://www.tornadoweb.org/en/stable/log.html 
> <https://www.tornadoweb.org/en/stable/log.html>.
>

One more thing to check: please ensure that your authenticator used by 
OAuth token endpoint ('pwd') is linked to a *password credential* that 
is actually set for the client. It is a common pitfall (as in Unity you 
can have multiple password credentials).

You can also try to use command line tool as curl to make a request to 
the token endpoint in unity. Perhaps you won't be able to easily provide 
proper token, but at least you should be able to authenticate and get 
some OAuth-level error instead of an early authN error.  This would 
confirm that correct credential is configured on Unity side.

Best,
Krzysztof

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Roman K. <ro...@un...>]

Hi Zoltan,

> In the meantime, ideas about what could be possible misconfigured and/or
working configuration examples (both Unity and Jupyter side) are welcomed.
Note that I was not using Jupyter for my tests, I just configured unity
according to your screenshots and used https://oauth.tools/ for testing,
Please check whether clientId and secret configured in jupyterhub_config.py
are the same with those generated by Unity, or regenerate client
credentials in Unity and update Jupyter config file.

As an aside, I noticed that Jupyter under the hood is using Tornado as a
networking library, consider enabling the Tornado lib logging to see more
details in the Jupyter log: https://www.tornadoweb.org/en/stable/log.html.

Best regards,
Roman


pt., 13 sie 2021 o 21:57 <ba...@aw...> napisał(a):

> Hi Roman,
>
>
>
> > Can you confirm if this is true, meaning JupyterHub queries the token
> endpoint with base authentication with client id and client secret
> credentials?
>
> I cannot confirm this. Unity operates over SSL, I cannot look into the
> actual data stream between Unity and Jupyter hub so I don’t know what’s
> going on under the hood.
>
> I suppose there is no option in Unity for logging HTTP requests (together
> with the content).
>
>
>
> All I can confirm is that the “c.GenericOAuthenticator.client_id” and
> “c.GenericOAuthenticator.client_secret” properties are set in
> jupyterhub_config.py and their value is correct.
>
> Since at this point, I could not decide whether the Jupyterhub –
> GenericOAuthenticator plugin or Unity does not work as it should, I set up
> a Keycloak instance and checked if Jupyterhub can authenticate against it
> with the same plugin. It worked.
>
>
>
> Next week I’ll try to put a HTTP proxy between Unity and Jupyterhub so
> that I can sniff the communication between them.
>
> In the meantime, ideas about what could be possible misconfigured and/or
> working configuration examples (both Unity and Jupyter side) are welcomed.
>
>
>
> Br,
>
> Zoltan
>
>
>
> *From:* Roman Krysiński <ro...@un...>
> *Sent:* Friday, August 13, 2021 6:03 PM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect -
> Jupyter hub Invalid user name, credential or external authentication failed
>
>
>
> HI Zoltan,
>
>
>
> Thank you very much, that was helpful.
>
>
>
> > Does that mean my configuration posted in my first email looks fine?
>
> I haven't spottent problem in the Unity configuration at first glance.
>
>
>
> Looking at the JupyterHub however I noticed this:
>
> > 403 POST https://idp.my-domain.io:2443/oauth-token/token:
>
> Token endpoint is protected and all requests require proper authorization.
>
> Can you confirm if this is true, meaning JupyterHub queries the token
> endpoint with base authentication with client id and client secret
> credentials?
>
>
>
> Thank you,
>
> Roman
>
>
>
>
>
> pt., 13 sie 2021 o 16:18 <ba...@aw...> napisał(a):
>
> Hi Roman,
>
>
>
> Many thanks for looking into it.
>
>
>
> >Just check the scenario manually on my local environment for the version
> you are using, but I was not able to reproduce the problem.
> Does that mean my configuration posted in my first email looks fine?
>
>
>
> > please enable the logging for the rest subsystem to the trace level
>
> Unity logs:
> =========
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2
> authorization endpoint
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request
> processing
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Request to protected address, with
> OAuth2 input, will be processed: /oauth/oauth2-authz
>
> 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Parsed OAuth request:
> response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io
> %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid
>
> 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Request with OAuth input handled
> successfully
>
> 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE
> unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth
> request, forwarding to consent UI
>
> 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile
> Embedded]] Unprocessed data from local database:
>
> Entity 49:
>
> - [userName] bakcsa
>
> - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm
>
> - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm
>
> - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm
>
> Attributes:
>
> - sys:LastAuthentication: [2021-08-13T12:10:25]
>
> - firstname: [Zoltan]
>
> - surname: [Bakcsa]
>
> - name: [Zoltan Bakcsa]
>
> - sys:AuthorizationRole: [System Manager]
>
> - sys:CredentialRequirements: [Password requirement]
>
> - email: [{"value":ba...@aw...
> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]
>
> - sys:Preferences:
> [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate
> credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]
>
> In group: /
>
> Groups: [/moderators, /]
>
> Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30
>
> Requester attributes:
>
> - sys:oauth:clientType: [CONFIDENTIAL]
>
> - sys:oauth:allowedReturnURI: [
> https://www.my-domain.io/jupyter/hub/oauth_callback]
>
> - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client,
> openidHybrid]
>
> - sys:oauth:clientName: [Jupyter hub login]
>
> Protocol: OAuth2:authorizationCode
>
> 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationRule:[[TrProfile
> Embedded], [r: 1]] Condition OK
>
> 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.CreateAttributeAction:[[TrProfile
> Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]]
> Created a new attribute: userName: [bakcsa] with meta [userName, userName,
> false]
>
> 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationEngine: Output
> translation result:
>
> TranslationResult:
>
> attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false],
> sys:CredentialRequirements: [Password requirement] with meta
> [sys:CredentialRequirements, Defines which credential requirements are set
> for the owner, false], email: [{"value":ba...@aw...,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]
> with meta [E-mail address, E-mail address, false], sys:Preferences:
> [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate
> credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]
> with meta [sys:Preferences, Preferences of the user, false], surname:
> [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta
> [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25]
> with meta [sys:LastAuthentication, Stores date and time of the last
> successful authentication. The format is ISO time in UTC time zone with
> seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan]
> with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager]
> with meta [Authorization role, Defines what operations are allowed for the
> bearer. The attribute of this type defines the access in the group where it
> is defined and in all subgroups. In subgroup it can be redefined to grant
> more access. Roles:
>
> <b>System Manager</b> - System manager with all privileges.
>
> <b>Contents Manager</b> - Allows for performing all management operations
> related to groups, entities and attributes. Also allows for reading
> information about hidden attributes.
>
> <b>Privileged Inspector</b> - Allows for reading entities, groups and
> attributes, including the attributes visible locally only. No modifications
> are possible
>
> <b>Inspector</b> - Allows for reading entities, groups and attributes. No
> modifications are possible
>
> <b>Regular User</b> - Allows owners for reading of the basic system
> information, retrieval of information about themselves and also for
> changing self managed attributes, identities and passwords
>
> <b>Anonymous User</b> - Allows for minimal access to the system: owners
> can get basic system information and retrieve information about themselves
>
> , false]]
>
> identities=[[userName] bakcsa, [persistent]
> 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent]
> 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient]
> 473eea20-47b6-4180-b02f-81559c521e4d for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm]
>
> attributesToPersist=[]
>
> identitiesToPersist=[]
>
> redirectURL=null
>
> 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE
> unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd
>
> 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE
> unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE
> unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG
> unity.server.rest.AuthenticationInterceptor: Authentication set failed to
> authenticate the client using flow pwd, will try another:
> pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> AuthenticationProcessorImpl.authnFailed
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
>
> 2021-08-13T12:37:25,380 [qtp620381176-29] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
>
> 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG
> unity.server.rest.EngineExceptionMapper: Access denied for rest client
>
> pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
> name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
>
>
>
>
> Jupyter-hub logs:
> ==============
>
> swarm-1    | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET
> /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms
>
> swarm-1    | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET
> /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f
> (@::ffff:10.0.0.2) 1.32ms
>
> swarm-1    | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth
> redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback'
>
> swarm-1    | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting
> cookie oauthenticator-state: {'httponly': True, 'expires_days': 1}
>
> swarm-1    | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET
> /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F ->
> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid
> <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid>
> (@::ffff:10.0.0.2) 1.87ms
>
> swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error
> fetching access token 403 POST
> https://idp.my-domain.io:2443/oauth-token/token: {
>
> swarm-1    |      "error": "AuthenticationException",
>
> swarm-1    |      "message": "Invalid user name, credential or external
> authentication failed. "
>
> swarm-1    |     }
>
> swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught
> exception GET
> /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D
> (::ffff:10.0.0.2)
>
> swarm-1    |     HTTPServerRequest(protocol='http', host='my-domain.io',
> method='GET',
> uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D',
> version='HTTP/1.1', remote_ip='::ffff:10.0.0.2')
>
> swarm-1    |     Traceback (most recent call last):
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in
> _execute
>
> swarm-1    |         result = await result
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 231, in get
>
> swarm-1    |         user = await self.login_user()
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line
> 754, in login_user
>
> swarm-1    |         authenticated = await self.authenticate(data)
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in
> get_authenticated_user
>
> swarm-1    |         authenticated = await
> maybe_future(self.authenticate(handler, data))
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line
> 169, in authenticate
>
> swarm-1    |         token_resp_json = await self._get_token(headers,
> params)
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 390, in fetch
>
> swarm-1    |         raise e
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 369, in fetch
>
> swarm-1    |         resp = await self.http_client.fetch(req, **kwargs)
>
> swarm-1    |     tornado.httpclient.HTTPClientError: HTTP 403: Forbidden
>
> swarm-1    |
>
> swarm-1    | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template
> for 500
>
> swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:181] {
>
> swarm-1    |       "X-Forwarded-Proto": "http",
>
> swarm-1    |       "X-Forwarded-Port": "80",
>
> swarm-1    |       "Connection": "close",
>
> swarm-1    |       "X-Forwarded-Server": "my-domain.io",
>
> swarm-1    |       "X-Forwarded-Host": "my-domain.io",
>
> swarm-1    |       "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2",
>
> swarm-1    |       "Cookie":
> "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret];
> jupyterhub-session-id=[secret]; _xsrf=[secret];
> oauthenticator-state=[secret]",
>
> swarm-1    |       "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7",
>
> swarm-1    |       "Accept-Encoding": "gzip, deflate, br",
>
> swarm-1    |       "Referer": https://idp.my-domain.io:2443/,
>
> swarm-1    |       "Sec-Ch-Ua-Mobile": "?0",
>
> swarm-1    |       "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not
> A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"",
>
> swarm-1    |       "Sec-Fetch-Dest": "document",
>
> swarm-1    |       "Sec-Fetch-User": "?1",
>
> swarm-1    |       "Sec-Fetch-Mode": "navigate",
>
> swarm-1    |       "Sec-Fetch-Site": "same-site",
>
> swarm-1    |       "Accept":
> "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
>
> swarm-1    |       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131
> Safari/537.36 Edg/92.0.902.73",
>
> swarm-1    |       "Upgrade-Insecure-Requests": "1",
>
> swarm-1    |       "Cache-Control": "max-age=0",
>
> swarm-1    |       "Host": "my-domain.io"
>
> swarm-1    |     }
>
> swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET
> /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2)
> 72.98ms
>
>
>
>
>
> *From:* Roman Krysiński <ro...@un...>
> *Sent:* Friday, August 13, 2021 11:54 AM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect -
> Jupyter hub Invalid user name, credential or external authentication failed
>
>
>
>
>
> HI Zoltan,
>
>
>
> Just check the scenario manually on my local environment for the version
> you are using, but I was not able to reproduce the problem.
>
>
>
> In order to proceed further with investigation, please enable the logging
> for the rest subsystem to the trace level, do a re-test of your scenario
> and provide the log records from the unity.
>
>
>
> To enable trace logging for rest, make sure to have the following in
> log4j2.xml file
>
> <Logger name="unity.server.rest" level="TRACE"/>
>
> Also if you could enable the trace logging for Jupyter and provide output
> that would be helpful. One thing which is puzzling me is why the oauth
> client queries the revocation endpoint after login?
>
>
>
> Thank you,
>
> Roman
>
>
>
> *From:* Roman Krysiński <ro...@un...>
> *Sent:* Thursday, August 12, 2021 12:02 PM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid
> user name, credential or external authentication failed
>
>
>
> HI Zoltan,
>
>
>
> This is to let you know that we are working on this, and we will let you
> know after investigation.
>
>
>
> Thanks for reaching out to the community.
>
> Roman
>
>
>
> śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a):
>
> Dear Unity community,
>
>
>
> I’m trying to integrate Jupyter hub with Unity-idm. My goal is to
> authenticate users using OpenID Connect.
>
>
>
> Unity version:
>
> 3.2.3
>
>
>
> Relevant configuration:
>
> Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg
>
> Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg
>
> Jupyter-hub-client: https://snipboard.io/6olp81.jpg
>
>
>
> Relevant part of jupyterhub_config.py:
>
>
>
> c.GenericOAuthenticator.client_id="removed "
>
> c.GenericOAuthenticator.client_secret="removed"
>
> c.GenericOAuthenticator.oauth_callback_url=
> https://www.mydomain.io/jupyter/hub/oauth_callback
>
> c.GenericOAuthenticator.authorize_url=
> https://idp.mydomain.io:2443/oauth/oauth2-authz
>
> c.GenericOAuthenticator.token_url=
> https://idp.mydomain.io:2443/oauth-token/token
>
> c.GenericOAuthenticator.userdata_url=
> https://idp.mydomain.io:2443/oauth-token/userinfo
>
> c.GenericOAuthenticator.username_key="userName"
>
> #c.GenericOAuthenticator.userdata_params.state="state"
>
> c.GenericOAuthenticator.userdata_params = {'state': 'state'}
>
> c.GenericOAuthenticator.scope = ['profile','openid']
>
>
>
> I’ve double checked the client_id and secret many times, I’m pretty sure
> they are correct.
>
> What happens:
>
>    1. Go to https://mydomain.io/jupyter/
>    2. Click on “Sign in with OAuth 2.0” button
>    3. Redirect to unity at
>    https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
>    4. Login with my username/password
>    5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
>    6. After clicking on the Confirm button I get redirected to Jupyter
>    hub where I get a “500: Internal Server Error”.
>
>
>
> Checking unity logs I see the following warning:
>
> WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
> (Full stack trace at the end of the email.)
>
>
>
> This message does not tell much to me, all credentials are correct that I
> configured.
>
> Could someone help me out? Did I misconfigure something?
>
>
>
> Cheers,
>
> Zoltan Bakcsa
>
>
>
>
>
> 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
>

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[<ba...@aw...>]

Hi Roman,

 

> Can you confirm if this is true, meaning JupyterHub queries the token endpoint with base authentication with client id and client secret credentials?

I cannot confirm this. Unity operates over SSL, I cannot look into the actual data stream between Unity and Jupyter hub so I don’t know what’s going on under the hood.

I suppose there is no option in Unity for logging HTTP requests (together with the content).

 

All I can confirm is that the “c.GenericOAuthenticator.client_id” and “c.GenericOAuthenticator.client_secret” properties are set in jupyterhub_config.py and their value is correct.

Since at this point, I could not decide whether the Jupyterhub – GenericOAuthenticator plugin or Unity does not work as it should, I set up a Keycloak instance and checked if Jupyterhub can authenticate against it with the same plugin. It worked.

 

Next week I’ll try to put a HTTP proxy between Unity and Jupyterhub so that I can sniff the communication between them.

In the meantime, ideas about what could be possible misconfigured and/or working configuration examples (both Unity and Jupyter side) are welcomed.

 

Br,

Zoltan

 

From: Roman Krysiński <ro...@un...> 
Sent: Friday, August 13, 2021 6:03 PM
To: ba...@aw...
Cc: Unity ML <uni...@li...>
Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

 

HI Zoltan,

 

Thank you very much, that was helpful.

 

> Does that mean my configuration posted in my first email looks fine?

I haven't spottent problem in the Unity configuration at first glance.

 

Looking at the JupyterHub however I noticed this:

> 403 POST https://idp.my-domain.io:2443/oauth-token/token:

Token endpoint is protected and all requests require proper authorization.

Can you confirm if this is true, meaning JupyterHub queries the token endpoint with base authentication with client id and client secret credentials?

 

Thank you,

Roman

 

 

pt., 13 sie 2021 o 16:18 <ba...@aw... <mailto:ba...@aw...> > napisał(a):

Hi Roman,

 

Many thanks for looking into it.

 

>Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem.
Does that mean my configuration posted in my first email looks fine?

 

> please enable the logging for the rest subsystem to the trace level

Unity logs:
=========

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 authorization endpoint

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request processing

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request to protected address, with OAuth2 input, will be processed: /oauth/oauth2-authz

2021-08-13T12:37:16,123 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Parsed OAuth request: response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io <http://2Fwww.my-domain.io> %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid

2021-08-13T12:37:16,134 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request with OAuth input handled successfully

2021-08-13T12:37:16,170 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:16,219 [qtp620381176-36] TRACE unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth request, forwarding to consent UI

2021-08-13T12:37:16,328 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile Embedded]] Unprocessed data from local database:

Entity 49:

- [userName] bakcsa

- [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm

- [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm

- [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm

Attributes:

- sys:LastAuthentication: [2021-08-13T12:10:25]

- firstname: [Zoltan]

- surname: [Bakcsa]

- name: [Zoltan Bakcsa]

- sys:AuthorizationRole: [System Manager]

- sys:CredentialRequirements: [Password requirement]

- email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]

- sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]

In group: /

Groups: [/moderators, /]

Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30

Requester attributes:

- sys:oauth:clientType: [CONFIDENTIAL]

- sys:oauth:allowedReturnURI: [https://www.my-domain.io/jupyter/hub/oauth_callback]

- sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, openidHybrid]

- sys:oauth:clientName: [Jupyter hub login]

Protocol: OAuth2:authorizationCode

2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationRule:[[TrProfile Embedded], [r: 1]] Condition OK

2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG unity.server.externaltranslation.CreateAttributeAction:[[TrProfile Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] Created a new attribute: userName: [bakcsa] with meta [userName, userName, false]

2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationEngine: Output translation result:

TranslationResult:

attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], sys:CredentialRequirements: [Password requirement] with meta [sys:CredentialRequirements, Defines which credential requirements are set for the owner, false], email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] with meta [E-mail address, E-mail address, false], sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] with meta [sys:Preferences, Preferences of the user, false], surname: [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] with meta [sys:LastAuthentication, Stores date and time of the last successful authentication. The format is ISO time in UTC time zone with seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] with meta [Authorization role, Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles:

<b>System Manager</b> - System manager with all privileges.

<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.

<b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible

<b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications are possible

<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing self managed attributes, identities and passwords

<b>Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves

, false]]

identities=[[userName] bakcsa, [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm]

attributesToPersist=[]

identitiesToPersist=[]

redirectURL=null

2021-08-13T12:37:16,572 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:17,632 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:24,831 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:25,142 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd

2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found

2021-08-13T12:37:25,379 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny

2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow pwd, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed

2021-08-13T12:37:25,379 [qtp620381176-29] INFO  unity.server.rest.AuthenticationInterceptor: Authentication failed for client

2021-08-13T12:37:25,380 [qtp620381176-29] WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource <http://token.as.oauth.unity.icm.edu.pl/%7DDiscoveryResource>  has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        ... 56 more

2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG unity.server.rest.EngineExceptionMapper: Access denied for rest client

pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

 

 

Jupyter-hub logs:
==============

swarm-1    | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms

swarm-1    | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f (@::ffff:10.0.0.2) 1.32ms

swarm-1    | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback'

swarm-1    | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting cookie oauthenticator-state: {'httponly': True, 'expires_days': 1}

swarm-1    | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> &redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid (@::ffff:10.0.0.2) 1.87ms

swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error fetching access token 403 POST https://idp.my-domain.io:2443/oauth-token/token: {

swarm-1    |      "error": "AuthenticationException",

swarm-1    |      "message": "Invalid user name, credential or external authentication failed. "

swarm-1    |     }

swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught exception GET /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D (::ffff:10.0.0.2)

swarm-1    |     HTTPServerRequest(protocol='http', host='my-domain.io <http://my-domain.io> ', method='GET', uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', version='HTTP/1.1', remote_ip='::ffff:10.0.0.2')

swarm-1    |     Traceback (most recent call last):

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute

swarm-1    |         result = await result

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 231, in get

swarm-1    |         user = await self.login_user()

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user

swarm-1    |         authenticated = await self.authenticate(data)

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user

swarm-1    |         authenticated = await maybe_future(self.authenticate(handler, data))

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 169, in authenticate

swarm-1    |         token_resp_json = await self._get_token(headers, params)

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 390, in fetch

swarm-1    |         raise e

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 369, in fetch

swarm-1    |         resp = await self.http_client.fetch(req, **kwargs)

swarm-1    |     tornado.httpclient.HTTPClientError: HTTP 403: Forbidden

swarm-1    |

swarm-1    | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template for 500

swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:181] {

swarm-1    |       "X-Forwarded-Proto": "http",

swarm-1    |       "X-Forwarded-Port": "80",

swarm-1    |       "Connection": "close",

swarm-1    |       "X-Forwarded-Server": "my-domain.io <http://my-domain.io> ",

swarm-1    |       "X-Forwarded-Host": "my-domain.io <http://my-domain.io> ",

swarm-1    |       "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2",

swarm-1    |       "Cookie": "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; jupyterhub-session-id=[secret]; _xsrf=[secret]; oauthenticator-state=[secret]",

swarm-1    |       "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7",

swarm-1    |       "Accept-Encoding": "gzip, deflate, br",

swarm-1    |       "Referer": https://idp.my-domain.io:2443/,

swarm-1    |       "Sec-Ch-Ua-Mobile": "?0",

swarm-1    |       "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"",

swarm-1    |       "Sec-Fetch-Dest": "document",

swarm-1    |       "Sec-Fetch-User": "?1",

swarm-1    |       "Sec-Fetch-Mode": "navigate",

swarm-1    |       "Sec-Fetch-Site": "same-site",

swarm-1    |       "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",

swarm-1    |       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73",

swarm-1    |       "Upgrade-Insecure-Requests": "1",

swarm-1    |       "Cache-Control": "max-age=0",

swarm-1    |       "Host": "my-domain.io <http://my-domain.io> "

swarm-1    |     }

swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) 72.98ms

 

 

From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > 
Sent: Friday, August 13, 2021 11:54 AM
To: ba...@aw... <mailto:ba...@aw...> 
Cc: Unity ML <uni...@li... <mailto:uni...@li...> >
Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

 

 

HI Zoltan,

 

Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem.

 

In order to proceed further with investigation, please enable the logging for the rest subsystem to the trace level, do a re-test of your scenario and provide the log records from the unity.

 

To enable trace logging for rest, make sure to have the following in log4j2.xml file

<Logger name="unity.server.rest" level="TRACE"/>

Also if you could enable the trace logging for Jupyter and provide output that would be helpful. One thing which is puzzling me is why the oauth client queries the revocation endpoint after login?

 

Thank you,

Roman

 

From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > 
Sent: Thursday, August 12, 2021 12:02 PM
To: ba...@aw... <mailto:ba...@aw...> 
Cc: Unity ML <uni...@li... <mailto:uni...@li...> >
Subject: Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

 

HI Zoltan,

 

This is to let you know that we are working on this, and we will let you know after investigation. 

 

Thanks for reaching out to the community. 

Roman

 

śr., 11 sie 2021 o 17:34 <ba...@aw... <mailto:ba...@aw...> > napisał(a):

Dear Unity community,

 

I’m trying to integrate Jupyter hub with Unity-idm. My goal is to authenticate users using OpenID Connect.

 

Unity version: 

3.2.3

 

Relevant configuration:

Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg

Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg

Jupyter-hub-client: https://snipboard.io/6olp81.jpg

 

Relevant part of jupyterhub_config.py: 

 

c.GenericOAuthenticator.client_id="removed "

c.GenericOAuthenticator.client_secret="removed"

c.GenericOAuthenticator.oauth_callback_url=https://www.mydomain.io/jupyter/hub/oauth_callback

c.GenericOAuthenticator.authorize_url=https://idp.mydomain.io:2443/oauth/oauth2-authz

c.GenericOAuthenticator.token_url=https://idp.mydomain.io:2443/oauth-token/token

c.GenericOAuthenticator.userdata_url=https://idp.mydomain.io:2443/oauth-token/userinfo

c.GenericOAuthenticator.username_key="userName"

#c.GenericOAuthenticator.userdata_params.state="state"

c.GenericOAuthenticator.userdata_params = {'state': 'state'}

c.GenericOAuthenticator.scope = ['profile','openid']

 

I’ve double checked the client_id and secret many times, I’m pretty sure they are correct.

What happens:

1.	Go to https://mydomain.io/jupyter/
2.	Click on “Sign in with OAuth 2.0” button
3.	Redirect to unity at https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
4.	Login with my username/password
5.	Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
6.	After clicking on the Confirm button I get redirected to Jupyter hub where I get a “500: Internal Server Error”.

 

Checking unity logs I see the following warning:

WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource>  has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. 

(Full stack trace at the end of the email.)

 

This message does not tell much to me, all credentials are correct that I configured.

Could someone help me out? Did I misconfigure something? 

 

Cheers,

Zoltan Bakcsa

 

 

2021-08-11T14:30:40,648 [qtp1132146097-94] WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource>  has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        ... 56 more

_______________________________________________
Unity-idm-discuss mailing list
Uni...@li... <mailto:Uni...@li...> 
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

_______________________________________________
Unity-idm-discuss mailing list
Uni...@li... <mailto:Uni...@li...> 
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Roman K. <ro...@un...>]

HI Zoltan,

Thank you very much, that was helpful.

> Does that mean my configuration posted in my first email looks fine?
I haven't spottent problem in the Unity configuration at first glance.

Looking at the JupyterHub however I noticed this:
> 403 POST https://idp.my-domain.io:2443/oauth-token/token:
Token endpoint is protected and all requests require proper authorization.
Can you confirm if this is true, meaning JupyterHub queries the token
endpoint with base authentication with client id and client secret
credentials?

Thank you,
Roman


pt., 13 sie 2021 o 16:18 <ba...@aw...> napisał(a):

> Hi Roman,
>
>
>
> Many thanks for looking into it.
>
>
>
> >Just check the scenario manually on my local environment for the version
> you are using, but I was not able to reproduce the problem.
> Does that mean my configuration posted in my first email looks fine?
>
>
>
> > please enable the logging for the rest subsystem to the trace level
>
> Unity logs:
> =========
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2
> authorization endpoint
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request
> processing
>
> 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Request to protected address, with
> OAuth2 input, will be processed: /oauth/oauth2-authz
>
> 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Parsed OAuth request:
> response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io
> %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid
>
> 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthParseServlet: Request with OAuth input handled
> successfully
>
> 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE
> unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth
> request, forwarding to consent UI
>
> 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile
> Embedded]] Unprocessed data from local database:
>
> Entity 49:
>
> - [userName] bakcsa
>
> - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm
>
> - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm
>
> - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm
>
> Attributes:
>
> - sys:LastAuthentication: [2021-08-13T12:10:25]
>
> - firstname: [Zoltan]
>
> - surname: [Bakcsa]
>
> - name: [Zoltan Bakcsa]
>
> - sys:AuthorizationRole: [System Manager]
>
> - sys:CredentialRequirements: [Password requirement]
>
> - email: [{"value":ba...@aw...
> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]
>
> - sys:Preferences:
> [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate
> credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]
>
> In group: /
>
> Groups: [/moderators, /]
>
> Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30
>
> Requester attributes:
>
> - sys:oauth:clientType: [CONFIDENTIAL]
>
> - sys:oauth:allowedReturnURI: [
> https://www.my-domain.io/jupyter/hub/oauth_callback]
>
> - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client,
> openidHybrid]
>
> - sys:oauth:clientName: [Jupyter hub login]
>
> Protocol: OAuth2:authorizationCode
>
> 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationRule:[[TrProfile
> Embedded], [r: 1]] Condition OK
>
> 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.CreateAttributeAction:[[TrProfile
> Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]]
> Created a new attribute: userName: [bakcsa] with meta [userName, userName,
> false]
>
> 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG
> unity.server.externaltranslation.OutputTranslationEngine: Output
> translation result:
>
> TranslationResult:
>
> attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false],
> sys:CredentialRequirements: [Password requirement] with meta
> [sys:CredentialRequirements, Defines which credential requirements are set
> for the owner, false], email: [{"value":ba...@aw...,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]
> with meta [E-mail address, E-mail address, false], sys:Preferences:
> [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate
> credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]
> with meta [sys:Preferences, Preferences of the user, false], surname:
> [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta
> [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25]
> with meta [sys:LastAuthentication, Stores date and time of the last
> successful authentication. The format is ISO time in UTC time zone with
> seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan]
> with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager]
> with meta [Authorization role, Defines what operations are allowed for the
> bearer. The attribute of this type defines the access in the group where it
> is defined and in all subgroups. In subgroup it can be redefined to grant
> more access. Roles:
>
> <b>System Manager</b> - System manager with all privileges.
>
> <b>Contents Manager</b> - Allows for performing all management operations
> related to groups, entities and attributes. Also allows for reading
> information about hidden attributes.
>
> <b>Privileged Inspector</b> - Allows for reading entities, groups and
> attributes, including the attributes visible locally only. No modifications
> are possible
>
> <b>Inspector</b> - Allows for reading entities, groups and attributes. No
> modifications are possible
>
> <b>Regular User</b> - Allows owners for reading of the basic system
> information, retrieval of information about themselves and also for
> changing self managed attributes, identities and passwords
>
> <b>Anonymous User</b> - Allows for minimal access to the system: owners
> can get basic system information and retrieve information about themselves
>
> , false]]
>
> identities=[[userName] bakcsa, [persistent]
> 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent]
> 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient]
> 473eea20-47b6-4180-b02f-81559c521e4d for
> 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm]
>
> attributesToPersist=[]
>
> identitiesToPersist=[]
>
> redirectURL=null
>
> 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE
> unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal
> address /oauth/oauth2-authz-web-entry/UIDL/
>
> 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE
> unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing
> address, with OAuth context: /oauth/oauth2-authz-web-entry
>
> 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE
> unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd
>
> 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE
> unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE
> unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG
> unity.server.rest.AuthenticationInterceptor: Authentication set failed to
> authenticate the client using flow pwd, will try another:
> pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> AuthenticationProcessorImpl.authnFailed
>
> 2021-08-13T12:37:25,379 [qtp620381176-29] INFO
> unity.server.rest.AuthenticationInterceptor: Authentication failed for
> client
>
> 2021-08-13T12:37:25,380 [qtp620381176-29] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
>
> 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG
> unity.server.rest.EngineExceptionMapper: Access denied for rest client
>
> pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
> name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
>
>
>
>
> Jupyter-hub logs:
> ==============
>
> swarm-1    | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET
> /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms
>
> swarm-1    | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET
> /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f
> (@::ffff:10.0.0.2) 1.32ms
>
> swarm-1    | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth
> redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback'
>
> swarm-1    | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting
> cookie oauthenticator-state: {'httponly': True, 'expires_days': 1}
>
> swarm-1    | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET
> /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F ->
> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid
> <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid>
> (@::ffff:10.0.0.2) 1.87ms
>
> swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error
> fetching access token 403 POST
> https://idp.my-domain.io:2443/oauth-token/token: {
>
> swarm-1    |      "error": "AuthenticationException",
>
> swarm-1    |      "message": "Invalid user name, credential or external
> authentication failed. "
>
> swarm-1    |     }
>
> swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught
> exception GET
> /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D
> (::ffff:10.0.0.2)
>
> swarm-1    |     HTTPServerRequest(protocol='http', host='my-domain.io',
> method='GET',
> uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D',
> version='HTTP/1.1', remote_ip='::ffff:10.0.0.2')
>
> swarm-1    |     Traceback (most recent call last):
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in
> _execute
>
> swarm-1    |         result = await result
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 231, in get
>
> swarm-1    |         user = await self.login_user()
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line
> 754, in login_user
>
> swarm-1    |         authenticated = await self.authenticate(data)
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in
> get_authenticated_user
>
> swarm-1    |         authenticated = await
> maybe_future(self.authenticate(handler, data))
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line
> 169, in authenticate
>
> swarm-1    |         token_resp_json = await self._get_token(headers,
> params)
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 390, in fetch
>
> swarm-1    |         raise e
>
> swarm-1    |       File
> "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line
> 369, in fetch
>
> swarm-1    |         resp = await self.http_client.fetch(req, **kwargs)
>
> swarm-1    |     tornado.httpclient.HTTPClientError: HTTP 403: Forbidden
>
> swarm-1    |
>
> swarm-1    | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template
> for 500
>
> swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:181] {
>
> swarm-1    |       "X-Forwarded-Proto": "http",
>
> swarm-1    |       "X-Forwarded-Port": "80",
>
> swarm-1    |       "Connection": "close",
>
> swarm-1    |       "X-Forwarded-Server": "my-domain.io",
>
> swarm-1    |       "X-Forwarded-Host": "my-domain.io",
>
> swarm-1    |       "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2",
>
> swarm-1    |       "Cookie":
> "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret];
> jupyterhub-session-id=[secret]; _xsrf=[secret];
> oauthenticator-state=[secret]",
>
> swarm-1    |       "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7",
>
> swarm-1    |       "Accept-Encoding": "gzip, deflate, br",
>
> swarm-1    |       "Referer": https://idp.my-domain.io:2443/,
>
> swarm-1    |       "Sec-Ch-Ua-Mobile": "?0",
>
> swarm-1    |       "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not
> A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"",
>
> swarm-1    |       "Sec-Fetch-Dest": "document",
>
> swarm-1    |       "Sec-Fetch-User": "?1",
>
> swarm-1    |       "Sec-Fetch-Mode": "navigate",
>
> swarm-1    |       "Sec-Fetch-Site": "same-site",
>
> swarm-1    |       "Accept":
> "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
>
> swarm-1    |       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131
> Safari/537.36 Edg/92.0.902.73",
>
> swarm-1    |       "Upgrade-Insecure-Requests": "1",
>
> swarm-1    |       "Cache-Control": "max-age=0",
>
> swarm-1    |       "Host": "my-domain.io"
>
> swarm-1    |     }
>
> swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET
> /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2)
> 72.98ms
>
>
>
>
>
> *From:* Roman Krysiński <ro...@un...>
> *Sent:* Friday, August 13, 2021 11:54 AM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect -
> Jupyter hub Invalid user name, credential or external authentication failed
>
>
>
>
>
> HI Zoltan,
>
>
>
> Just check the scenario manually on my local environment for the version
> you are using, but I was not able to reproduce the problem.
>
>
>
> In order to proceed further with investigation, please enable the logging
> for the rest subsystem to the trace level, do a re-test of your scenario
> and provide the log records from the unity.
>
>
>
> To enable trace logging for rest, make sure to have the following in
> log4j2.xml file
>
> <Logger name="unity.server.rest" level="TRACE"/>
>
> Also if you could enable the trace logging for Jupyter and provide output
> that would be helpful. One thing which is puzzling me is why the oauth
> client queries the revocation endpoint after login?
>
>
>
> Thank you,
>
> Roman
>
>
>
> *From:* Roman Krysiński <ro...@un...>
> *Sent:* Thursday, August 12, 2021 12:02 PM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid
> user name, credential or external authentication failed
>
>
>
> HI Zoltan,
>
>
>
> This is to let you know that we are working on this, and we will let you
> know after investigation.
>
>
>
> Thanks for reaching out to the community.
>
> Roman
>
>
>
> śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a):
>
> Dear Unity community,
>
>
>
> I’m trying to integrate Jupyter hub with Unity-idm. My goal is to
> authenticate users using OpenID Connect.
>
>
>
> Unity version:
>
> 3.2.3
>
>
>
> Relevant configuration:
>
> Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg
>
> Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg
>
> Jupyter-hub-client: https://snipboard.io/6olp81.jpg
>
>
>
> Relevant part of jupyterhub_config.py:
>
>
>
> c.GenericOAuthenticator.client_id="removed "
>
> c.GenericOAuthenticator.client_secret="removed"
>
> c.GenericOAuthenticator.oauth_callback_url=
> https://www.mydomain.io/jupyter/hub/oauth_callback
>
> c.GenericOAuthenticator.authorize_url=
> https://idp.mydomain.io:2443/oauth/oauth2-authz
>
> c.GenericOAuthenticator.token_url=
> https://idp.mydomain.io:2443/oauth-token/token
>
> c.GenericOAuthenticator.userdata_url=
> https://idp.mydomain.io:2443/oauth-token/userinfo
>
> c.GenericOAuthenticator.username_key="userName"
>
> #c.GenericOAuthenticator.userdata_params.state="state"
>
> c.GenericOAuthenticator.userdata_params = {'state': 'state'}
>
> c.GenericOAuthenticator.scope = ['profile','openid']
>
>
>
> I’ve double checked the client_id and secret many times, I’m pretty sure
> they are correct.
>
> What happens:
>
>    1. Go to https://mydomain.io/jupyter/
>    2. Click on “Sign in with OAuth 2.0” button
>    3. Redirect to unity at
>    https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
>    4. Login with my username/password
>    5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
>    6. After clicking on the Confirm button I get redirected to Jupyter
>    hub where I get a “500: Internal Server Error”.
>
>
>
> Checking unity logs I see the following warning:
>
> WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
> (Full stack trace at the end of the email.)
>
>
>
> This message does not tell much to me, all credentials are correct that I
> configured.
>
> Could someone help me out? Did I misconfigure something?
>
>
>
> Cheers,
>
> Zoltan Bakcsa
>
>
>
>
>
> 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[<ba...@aw...>]

Hi Roman,

 

Many thanks for looking into it.

 

>Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem.
Does that mean my configuration posted in my first email looks fine?

 

> please enable the logging for the rest subsystem to the trace level

Unity logs:
=========

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 authorization endpoint

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request processing

2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request to protected address, with OAuth2 input, will be processed: /oauth/oauth2-authz

2021-08-13T12:37:16,123 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Parsed OAuth request: response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid

2021-08-13T12:37:16,134 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request with OAuth input handled successfully

2021-08-13T12:37:16,170 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:16,219 [qtp620381176-36] TRACE unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth request, forwarding to consent UI

2021-08-13T12:37:16,328 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile Embedded]] Unprocessed data from local database:

Entity 49:

- [userName] bakcsa

- [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm

- [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm

- [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm

Attributes:

- sys:LastAuthentication: [2021-08-13T12:10:25]

- firstname: [Zoltan]

- surname: [Bakcsa]

- name: [Zoltan Bakcsa]

- sys:AuthorizationRole: [System Manager]

- sys:CredentialRequirements: [Password requirement]

- email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}]

- sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}]

In group: /

Groups: [/moderators, /]

Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30

Requester attributes:

- sys:oauth:clientType: [CONFIDENTIAL]

- sys:oauth:allowedReturnURI: [https://www.my-domain.io/jupyter/hub/oauth_callback]

- sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, openidHybrid]

- sys:oauth:clientName: [Jupyter hub login]

Protocol: OAuth2:authorizationCode

2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationRule:[[TrProfile Embedded], [r: 1]] Condition OK

2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG unity.server.externaltranslation.CreateAttributeAction:[[TrProfile Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] Created a new attribute: userName: [bakcsa] with meta [userName, userName, false]

2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationEngine: Output translation result:

TranslationResult:

attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], sys:CredentialRequirements: [Password requirement] with meta [sys:CredentialRequirements, Defines which credential requirements are set for the owner, false], email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] with meta [E-mail address, E-mail address, false], sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] with meta [sys:Preferences, Preferences of the user, false], surname: [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] with meta [sys:LastAuthentication, Stores date and time of the last successful authentication. The format is ISO time in UTC time zone with seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] with meta [Authorization role, Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles:

<b>System Manager</b> - System manager with all privileges.

<b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes.

<b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible

<b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications are possible

<b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing self managed attributes, identities and passwords

<b>Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves

, false]]

identities=[[userName] bakcsa, [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm]

attributesToPersist=[]

identitiesToPersist=[]

redirectURL=null

2021-08-13T12:37:16,572 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:17,632 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:24,831 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/

2021-08-13T12:37:25,142 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry

2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd

2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found

2021-08-13T12:37:25,379 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny

2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow pwd, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed

2021-08-13T12:37:25,379 [qtp620381176-29] INFO  unity.server.rest.AuthenticationInterceptor: Authentication failed for client

2021-08-13T12:37:25,380 [qtp620381176-29] WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        ... 56 more

2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG unity.server.rest.EngineExceptionMapper: Access denied for rest client

pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

 

 

Jupyter-hub logs:
==============

swarm-1    | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms

swarm-1    | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f (@::ffff:10.0.0.2) 1.32ms

swarm-1    | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback'

swarm-1    | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting cookie oauthenticator-state: {'httponly': True, 'expires_days': 1}

swarm-1    | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> &redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid (@::ffff:10.0.0.2) 1.87ms

swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error fetching access token 403 POST https://idp.my-domain.io:2443/oauth-token/token: {

swarm-1    |      "error": "AuthenticationException",

swarm-1    |      "message": "Invalid user name, credential or external authentication failed. "

swarm-1    |     }

swarm-1    | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught exception GET /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D (::ffff:10.0.0.2)

swarm-1    |     HTTPServerRequest(protocol='http', host='my-domain.io', method='GET', uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', version='HTTP/1.1', remote_ip='::ffff:10.0.0.2')

swarm-1    |     Traceback (most recent call last):

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute

swarm-1    |         result = await result

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 231, in get

swarm-1    |         user = await self.login_user()

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user

swarm-1    |         authenticated = await self.authenticate(data)

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user

swarm-1    |         authenticated = await maybe_future(self.authenticate(handler, data))

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 169, in authenticate

swarm-1    |         token_resp_json = await self._get_token(headers, params)

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 390, in fetch

swarm-1    |         raise e

swarm-1    |       File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 369, in fetch

swarm-1    |         resp = await self.http_client.fetch(req, **kwargs)

swarm-1    |     tornado.httpclient.HTTPClientError: HTTP 403: Forbidden

swarm-1    |

swarm-1    | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template for 500

swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:181] {

swarm-1    |       "X-Forwarded-Proto": "http",

swarm-1    |       "X-Forwarded-Port": "80",

swarm-1    |       "Connection": "close",

swarm-1    |       "X-Forwarded-Server": "my-domain.io",

swarm-1    |       "X-Forwarded-Host": "my-domain.io",

swarm-1    |       "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2",

swarm-1    |       "Cookie": "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; jupyterhub-session-id=[secret]; _xsrf=[secret]; oauthenticator-state=[secret]",

swarm-1    |       "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7",

swarm-1    |       "Accept-Encoding": "gzip, deflate, br",

swarm-1    |       "Referer": https://idp.my-domain.io:2443/,

swarm-1    |       "Sec-Ch-Ua-Mobile": "?0",

swarm-1    |       "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"",

swarm-1    |       "Sec-Fetch-Dest": "document",

swarm-1    |       "Sec-Fetch-User": "?1",

swarm-1    |       "Sec-Fetch-Mode": "navigate",

swarm-1    |       "Sec-Fetch-Site": "same-site",

swarm-1    |       "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",

swarm-1    |       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73",

swarm-1    |       "Upgrade-Insecure-Requests": "1",

swarm-1    |       "Cache-Control": "max-age=0",

swarm-1    |       "Host": "my-domain.io"

swarm-1    |     }

swarm-1    | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) 72.98ms

 

 

From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > 
Sent: Friday, August 13, 2021 11:54 AM
To: ba...@aw... <mailto:ba...@aw...> 
Cc: Unity ML <uni...@li... <mailto:uni...@li...> >
Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

 

 

HI Zoltan,

 

Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem.

 

In order to proceed further with investigation, please enable the logging for the rest subsystem to the trace level, do a re-test of your scenario and provide the log records from the unity.

 

To enable trace logging for rest, make sure to have the following in log4j2.xml file

<Logger name="unity.server.rest" level="TRACE"/>

Also if you could enable the trace logging for Jupyter and provide output that would be helpful. One thing which is puzzling me is why the oauth client queries the revocation endpoint after login?

 

Thank you,

Roman

 

From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > 
Sent: Thursday, August 12, 2021 12:02 PM
To: ba...@aw... <mailto:ba...@aw...> 
Cc: Unity ML <uni...@li... <mailto:uni...@li...> >
Subject: Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

 

HI Zoltan,

 

This is to let you know that we are working on this, and we will let you know after investigation. 

 

Thanks for reaching out to the community. 

Roman

 

śr., 11 sie 2021 o 17:34 <ba...@aw... <mailto:ba...@aw...> > napisał(a):

Dear Unity community,

 

I’m trying to integrate Jupyter hub with Unity-idm. My goal is to authenticate users using OpenID Connect.

 

Unity version: 

3.2.3

 

Relevant configuration:

Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg

Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg

Jupyter-hub-client: https://snipboard.io/6olp81.jpg

 

Relevant part of jupyterhub_config.py: 

 

c.GenericOAuthenticator.client_id="removed "

c.GenericOAuthenticator.client_secret="removed"

c.GenericOAuthenticator.oauth_callback_url=https://www.mydomain.io/jupyter/hub/oauth_callback

c.GenericOAuthenticator.authorize_url=https://idp.mydomain.io:2443/oauth/oauth2-authz

c.GenericOAuthenticator.token_url=https://idp.mydomain.io:2443/oauth-token/token

c.GenericOAuthenticator.userdata_url=https://idp.mydomain.io:2443/oauth-token/userinfo

c.GenericOAuthenticator.username_key="userName"

#c.GenericOAuthenticator.userdata_params.state="state"

c.GenericOAuthenticator.userdata_params = {'state': 'state'}

c.GenericOAuthenticator.scope = ['profile','openid']

 

I’ve double checked the client_id and secret many times, I’m pretty sure they are correct.

What happens:

1.	Go to https://mydomain.io/jupyter/
2.	Click on “Sign in with OAuth 2.0” button
3.	Redirect to unity at https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
4.	Login with my username/password
5.	Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
6.	After clicking on the Confirm button I get redirected to Jupyter hub where I get a “500: Internal Server Error”.

 

Checking unity logs I see the following warning:

WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource>  has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. 

(Full stack trace at the end of the email.)

 

This message does not tell much to me, all credentials are correct that I configured.

Could someone help me out? Did I misconfigure something? 

 

Cheers,

Zoltan Bakcsa

 

 

2021-08-11T14:30:40,648 [qtp1132146097-94] WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource>  has thrown exception, unwinding now

org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?]

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0]

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]

        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?]

        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]

        at java.lang.Thread.run(Thread.java:829) [?:?]

Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed.

        at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?]

        ... 56 more

_______________________________________________
Unity-idm-discuss mailing list
Uni...@li... <mailto:Uni...@li...> 
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Roman K. <ro...@un...>]

HI Zoltan,

Just check the scenario manually on my local environment for the version
you are using, but I was not able to reproduce the problem.

In order to proceed further with investigation, please enable the logging
for the rest subsystem to the trace level, do a re-test of your scenario
and provide the log records from the unity.

To enable trace logging for rest, make sure to have the following in
log4j2.xml file
<Logger name="unity.server.rest" level="TRACE"/>
Also if you could enable the trace logging for Jupyter and provide output
that would be helpful. One thing which is puzzling me is why the oauth
client queries the revocation endpoint after login?

Thank you,
Roman

*From:* Roman Krysiński <ro...@un...>
> *Sent:* Thursday, August 12, 2021 12:02 PM
> *To:* ba...@aw...
> *Cc:* Unity ML <uni...@li...>
> *Subject:* Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid
> user name, credential or external authentication failed
>
>
>
> HI Zoltan,
>
>
>
> This is to let you know that we are working on this, and we will let you
> know after investigation.
>
>
>
> Thanks for reaching out to the community.
>
> Roman
>
>
>
> śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a):
>
> Dear Unity community,
>
>
>
> I’m trying to integrate Jupyter hub with Unity-idm. My goal is to
> authenticate users using OpenID Connect.
>
>
>
> Unity version:
>
> 3.2.3
>
>
>
> Relevant configuration:
>
> Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg
>
> Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg
>
> Jupyter-hub-client: https://snipboard.io/6olp81.jpg
>
>
>
> Relevant part of jupyterhub_config.py:
>
>
>
> c.GenericOAuthenticator.client_id="removed "
>
> c.GenericOAuthenticator.client_secret="removed"
>
> c.GenericOAuthenticator.oauth_callback_url=
> https://www.mydomain.io/jupyter/hub/oauth_callback
>
> c.GenericOAuthenticator.authorize_url=
> https://idp.mydomain.io:2443/oauth/oauth2-authz
>
> c.GenericOAuthenticator.token_url=
> https://idp.mydomain.io:2443/oauth-token/token
>
> c.GenericOAuthenticator.userdata_url=
> https://idp.mydomain.io:2443/oauth-token/userinfo
>
> c.GenericOAuthenticator.username_key="userName"
>
> #c.GenericOAuthenticator.userdata_params.state="state"
>
> c.GenericOAuthenticator.userdata_params = {'state': 'state'}
>
> c.GenericOAuthenticator.scope = ['profile','openid']
>
>
>
> I’ve double checked the client_id and secret many times, I’m pretty sure
> they are correct.
>
> What happens:
>
>    1. Go to https://mydomain.io/jupyter/
>    2. Click on “Sign in with OAuth 2.0” button
>    3. Redirect to unity at
>    https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
>    4. Login with my username/password
>    5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
>    6. After clicking on the Confirm button I get redirected to Jupyter
>    hub where I get a “500: Internal Server Error”.
>
>
>
> Checking unity logs I see the following warning:
>
> WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
> (Full stack trace at the end of the email.)
>
>
>
> This message does not tell much to me, all credentials are correct that I
> configured.
>
> Could someone help me out? Did I misconfigure something?
>
>
>
> Cheers,
>
> Zoltan Bakcsa
>
>
>
>
>
> 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
>

Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed

[Roman K. <ro...@un...>]

HI Zoltan,

This is to let you know that we are working on this, and we will let you
know after investigation.

Thanks for reaching out to the community.
Roman

śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a):

> Dear Unity community,
>
>
>
> I’m trying to integrate Jupyter hub with Unity-idm. My goal is to
> authenticate users using OpenID Connect.
>
>
>
> Unity version:
>
> 3.2.3
>
>
>
> Relevant configuration:
>
> Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg
>
> Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg
>
> Jupyter-hub-client: https://snipboard.io/6olp81.jpg
>
>
>
> Relevant part of jupyterhub_config.py:
>
>
>
> c.GenericOAuthenticator.client_id="removed "
>
> c.GenericOAuthenticator.client_secret="removed"
>
> c.GenericOAuthenticator.oauth_callback_url=
> https://www.mydomain.io/jupyter/hub/oauth_callback
>
> c.GenericOAuthenticator.authorize_url=
> https://idp.mydomain.io:2443/oauth/oauth2-authz
>
> c.GenericOAuthenticator.token_url=
> https://idp.mydomain.io:2443/oauth-token/token
>
> c.GenericOAuthenticator.userdata_url=
> https://idp.mydomain.io:2443/oauth-token/userinfo
>
> c.GenericOAuthenticator.username_key="userName"
>
> #c.GenericOAuthenticator.userdata_params.state="state"
>
> c.GenericOAuthenticator.userdata_params = {'state': 'state'}
>
> c.GenericOAuthenticator.scope = ['profile','openid']
>
>
>
> I’ve double checked the client_id and secret many times, I’m pretty sure
> they are correct.
>
> What happens:
>
>    1. Go to https://mydomain.io/jupyter/
>    2. Click on “Sign in with OAuth 2.0” button
>    3. Redirect to unity at
>    https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry
>    4. Login with my username/password
>    5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg
>    6. After clicking on the Confirm button I get redirected to Jupyter
>    hub where I get a “500: Internal Server Error”.
>
>
>
> Checking unity logs I see the following warning:
>
> WARN  org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
> (Full stack trace at the end of the email.)
>
>
>
> This message does not tell much to me, all credentials are correct that I
> configured.
>
> Could someone help me out? Did I misconfigure something?
>
>
>
> Cheers,
>
> Zoltan Bakcsa
>
>
>
>
>
> 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN
> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {
> http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown
> exception, unwinding now
>
> org.apache.cxf.interceptor.Fault: Invalid user name, credential or
> external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> ~[cxf-core-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> ~[javax.servlet-api-3.1.0.jar:3.1.0]
>
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> ~[cxf-rt-transports-http-3.3.1.jar:3.3.1]
>
>         at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295)
> ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
> ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
> ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at org.eclipse.jetty.server.Server.handle(Server.java:500)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216)
> ~[unity-server-engine-3.2.3.jar:?]
>
>         at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386)
> ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
> [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
> [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
> [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
>
>         at java.lang.Thread.run(Thread.java:829) [?:?]
>
> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
> Invalid user name, credential or external authentication failed.
>
>         at
> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109)
> ~[unity-server-rest-3.2.3.jar:?]
>
>         ... 56 more
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>