Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Roman K. <ro...@un...> - 2024-05-16 10:13:08
|
Good morning Sander, One way of solving this problem, which Unity already supports, is to use tokeninfo endpoint. It does not extend the token validity, and provides information about its expiration. Would that work? Best regards, Roman czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...> napisał(a): > Good morning Krzystzof, > good morning Roman, > > we have a client which want to check if the user has still a running > session in unity and end the session in the service, if there is no > session in unity anymore. They are using a normal oidc flow with > prompt=none and it works fine if the user stored the consent, but if > not unity sends Unexpected server error. Since OIDC already defined > the error "consent_required", it would be much more comfortable for the > service and in the end for the user, if unity would send this error > message. What do you think? > > I added you some details from the service operator below. > > > We do a regular OIDC flow and after a while we trigger another flow > with > prompt=none to validate the user is still active and authenticated: > > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz > ?response_type=code > &client_id=OUR_CLIENT > &redirect_uri=OUR_URI > &prompt=none > &nonce=NONCE > &code_challenge=CODE_CHALLENGE > &code_challenge_method=S256 > > > If the user did not tick the 'remember my decision' box, then they get > redirected with: > > https://OUR_HOSTNAME/oidc/callback/ > ?error=server_error > &error_description=Unexpected+server+error&state=STATE > > > Unity log: > > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required > but 'none' prompt was given > > > Returning an error seems to be the correct behaviour here > (https://openid.net/specs/openid-connect-core-1_0.html). > Returning e.g. consent_required > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) > instead of the generic server_error as suggested in the specification, > could help us display a useful error message to the user. Since Unity's > log already displays this as a specific error this is hopefully not too > difficult to implement. > > > We're using mozilla-django OIDC: > > > https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them > > > https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 > > > Best regards, > Sander > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2024-05-16 07:57:50
|
Good morning Krzystzof, good morning Roman, we have a client which want to check if the user has still a running session in unity and end the session in the service, if there is no session in unity anymore. They are using a normal oidc flow with prompt=none and it works fine if the user stored the consent, but if not unity sends Unexpected server error. Since OIDC already defined the error "consent_required", it would be much more comfortable for the service and in the end for the user, if unity would send this error message. What do you think? I added you some details from the service operator below. We do a regular OIDC flow and after a while we trigger another flow with prompt=none to validate the user is still active and authenticated: https://login-dev.helmholtz.de/oauth2-as/oauth2-authz ?response_type=code &client_id=OUR_CLIENT &redirect_uri=OUR_URI &prompt=none &nonce=NONCE &code_challenge=CODE_CHALLENGE &code_challenge_method=S256 If the user did not tick the 'remember my decision' box, then they get redirected with: https://OUR_HOSTNAME/oidc/callback/ ?error=server_error &error_description=Unexpected+server+error&state=STATE Unity log: ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required but 'none' prompt was given Returning an error seems to be the correct behaviour here (https://openid.net/specs/openid-connect-core-1_0.html). Returning e.g. consent_required (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) instead of the generic server_error as suggested in the specification, could help us display a useful error message to the user. Since Unity's log already displays this as a specific error this is hopefully not too difficult to implement. We're using mozilla-django OIDC: https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2024-05-15 06:46:26
|
Hi Krzysztof, was this added in meantime or is it planned to be added? Best regards, Sander On Fri, 2023-10-27 at 09:16 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 27.10.2023 o 07:14, Sander Apweiler pisze: > > Hello Krzysztof, > > hello Roman, > > > > one of our connected clients is using Ceph as storage backend and > > it > > requires the certificate which was used to sign the token. > > According to > > https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata > > and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6 > > certificates can be added as optional x5c attribute. > > Since I didn't find anything in the manual and nothing endpoint > > configuration, I assume it is not (yet) possible. Can you correct > > me if > > I'm wrong or give your thought about possible extension? > > > Yes, Unity only puts bare keys in oidc metadata. > > Yes, enhancement to also add a full certificate looks fine. > > Best, > Krzysztof > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-04-30 13:02:54
|
Dead Subscribers,
I'm happy to announce a bit unexpected, 3.16.0 release. While our 4.0.0
major release gets delayed, we wanted to publish couple of recent
improvements still on the 3.x branch, and then focus on fixing the
remaining issues with 4.0.0. Unity 4 is expected soon, however we still
polish the rewritten UI. Our hope is to release it in May.
Release Highlights
The 3.16.0 release is brings several notable improvements:
* It is possible to create dynamic policies, activating 2FA. Exposed
as a new policy in Authentication Flow configuration. Dynamic MVEL
based rule can take decision basing on user’s attributes, 1st factor
used and other information.
* SAML IdP can be configured to return the NotBefore constraint
* SAML authenticator can filter trusted federation IdPs basing on
their attributes set in metadata
* Authentication Context Reference obtained from upstream OAuth and
SAML IdPs is preserved and exposed for use in output profile as well
as available in dynamic MFA activation policy. This allows for
forwarding this information to Unity relying parties as well as
ensuring MFA is not repeated, if was already performed by upstream IdP.
* Several performance optimizations were applied:
o fixed problem with slow loading of Requests view in Console, in
case of many user enquiry responses
o when entering console the root group is not automatically
selected in Groups Browser.
o there are small optimizations in bulk query API, improving some
of the Unity operations spanning whole users directory.
o indexes were added to the tokens DB table
Migration consideration
MySQL users shall ensure that permissions to create procedures are
granted to the Unity DB user. See Update instructions in the manual for
details, if you are on this DB.
Best regards,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2024-03-19 07:18:30
|
Good morning Krzysztof,
sorry for the confusion. The problem appears if the confidential
clients are using PKCE. For confidential clients which never used PKCE
everything is fine. We had just one client which reported the error
occurred independent if they are using PKCE or not. But I'm not sure if
they really disabled PKCE.
About your requests:
1. I try to generate them as soon as possible. For the moment we went
back to 3.15.0. But we will create the logs on our dev system.
2. - 4. Please find the screenshots attached.
If something is missing, please let me know.
Best regards,
Sander
On Mon, 2024-03-18 at 13:22 +0100, Krzysztof Benedyczak wrote:
>
> Hi Sander,
>
>
>
>
> W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
>
>
> >
> > Hi Krzysztof,
> > thanks for the fast fix. After we deployed the new version and test
> > with the confidential client using PKCE. The client get only
> >
> > status: 401, body:
> > {"error":"invalid_client","error_description":"Client
> > authentication failed; not authenticated"})
> >
> > using PKCE or not. Other applications, which did not use PKCE are
> > working well. In log files I see only:
> >
> >
> > 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> > unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> > request to URL /oauth2/token
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using flow pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using authenticator pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Not defined credential
> > for pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Request to an address
> > with optional authentication - /oauth2/token - invocation will
> > proceed without authentication
> > 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> > unity.server.oauth.BaseOAuthResource: Retuning OAuth error
> > response: invalid_client: Client authentication failed; not
> > authenticated
> >
> > Checking the client, the credential is well defined and login on
> > userhome works. The password does not contain any character, ehich
> > may
> > cause trouble in encoding. Do you have any idea what causes this
> > issue?
> >
>
>
>
>
> First of all I'm confused by your case description. You wrote that "
>
>
> test with the confidential client using PKCE. [there is a problem]
> using PKCE or not. Other applications, which did not use PKCE are
> working well.
>
>
> So what is the situation? Only clients which try to perform PKCE are
> failing with this error or all or?
>
>
>
>
> To speed up the investigation, besides explaining the scenario,
> please also:
>
> 1. enable TRACE logging on 2 facilities: unity.server.rest and
> unity.server.authn, run the test and provide the logs.
>
> 2. please provide (e.g. a screenshot) configuration of Clients tab of
> your OAuth IdP/AS. I'm interested in enabled authenticators/flows.
>
> 3. please provide details of defined credentials per your client's
> entity (can be from "Show details").
>
> 4. complete configuration of the endpoint would be helpful too (more
> "just in case").
>
> Best,
> Krzysztof
>
>
>
>
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2024-03-18 12:23:10
|
Hi Sander,
W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only
>
> status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})
>
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
>
>
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated
>
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich may
> cause trouble in encoding. Do you have any idea what causes this issue?
First of all I'm confused by your case description. You wrote that "
test with the confidential client*using PKCE*. [there is a problem]*using PKCE or not*. Other applications, which*did not use PKCE* are
working well.
So what is the situation? Only clients which try to perform PKCE are
failing with this error or all or?
To speed up the investigation, besides explaining the scenario, please also:
1. enable TRACE logging on 2 facilities: unity.server.rest and
unity.server.authn, run the test and provide the logs.
2. please provide (e.g. a screenshot) configuration of Clients tab of
your OAuth IdP/AS. I'm interested in enabled authenticators/flows.
3. please provide details of defined credentials per your client's
entity (can be from "Show details").
4. complete configuration of the endpoint would be helpful too (more
"just in case").
Best,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2024-03-18 09:21:17
|
Good morning Krzysztof,
this topic became very urgent because we have much more services
failing right now. We were not aware about so many services usinge PKCE
as confidential client. Do you have already any idea?
Best regards,
Sander
On Fri, 2024-03-15 at 13:26 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only
>
> status: 401, body:
> {"error":"invalid_client","error_description":"Client authentication
> failed; not authenticated"})
>
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
>
>
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Not defined credential
> for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Request to an address
> with optional authentication - /oauth2/token - invocation will
> proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> unity.server.oauth.BaseOAuthResource: Retuning OAuth error response:
> invalid_client: Client authentication failed; not authenticated
>
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich
> may
> cause trouble in encoding. Do you have any idea what causes this
> issue?
>
> Best regards,
> Sander
>
> On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> > Hi Sander,
> >
> > W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > > Hi Kryzsztof, hi Roman,
> > >
> > > we got the hint from one of our connected clients that unity does
> > > not
> > > check the client secret in the authentication flow. This would be
> > > a
> > > huge security issue. The client is a confidential client with
> > > optional
> > > PKCE. The operators told us unity is not checking the secret even
> > > if
> > > they disable PKCE for it. Is there any scenario where unity does
> > > not
> > > check the client secrets in the requests?
> >
> > Yes, I can confirm that. A regression introduced when adding
> > support
> > for
> > PKCE for confidential clients.
> >
> > We will release a fixed version ASAP.
> >
> >
> > > I know i past we had some issues with missing basic auth header
> > > or
> > > passwords containing special character, which were not proper
> > > encoded
> > > and unity did not accept their requests.
> > >
> > > Another issue which was also re-opened was checking the token
> > > signature
> > > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > > checking
> > > the JTI against it's internal database and using the information
> > > from
> > > that but not further checking the send token. Here we got the
> > > question
> > > if there was an update of this behaviour.
> >
> > I don't think so, but I'll let Roman to answer.
> >
> > Best,
> > Krzysztof
> >
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Sander A. <sa....@fz...> - 2024-03-15 12:26:45
|
Hi Krzysztof,
thanks for the fast fix. After we deployed the new version and test
with the confidential client using PKCE. The client get only
status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})
using PKCE or not. Other applications, which did not use PKCE are
working well. In log files I see only:
2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated
Checking the client, the credential is well defined and login on
userhome works. The password does not contain any character, ehich may
cause trouble in encoding. Do you have any idea what causes this issue?
Best regards,
Sander
On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
>
> W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > Hi Kryzsztof, hi Roman,
> >
> > we got the hint from one of our connected clients that unity does
> > not
> > check the client secret in the authentication flow. This would be a
> > huge security issue. The client is a confidential client with
> > optional
> > PKCE. The operators told us unity is not checking the secret even
> > if
> > they disable PKCE for it. Is there any scenario where unity does
> > not
> > check the client secrets in the requests?
>
> Yes, I can confirm that. A regression introduced when adding support
> for
> PKCE for confidential clients.
>
> We will release a fixed version ASAP.
>
>
> > I know i past we had some issues with missing basic auth header or
> > passwords containing special character, which were not proper
> > encoded
> > and unity did not accept their requests.
> >
> > Another issue which was also re-opened was checking the token
> > signature
> > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > checking
> > the JTI against it's internal database and using the information
> > from
> > that but not further checking the send token. Here we got the
> > question
> > if there was an update of this behaviour.
>
> I don't think so, but I'll let Roman to answer.
>
> Best,
> Krzysztof
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2024-03-13 20:32:47
|
Dear Subscribers
Unity 3.15.1 was published today.
This release includes fixes for the following problems:
* regression causing that OAuth confidential client credential was not
always deemed mandatory
* mixing up separators and headers defined on a sign-in page of a
service/IdP edited in Console
* not shown policy agreements after remote registration, if only the
agreements were supposed to be shown
* SCIM endpoint configuration in Console allows now for importing a
previously exported Unity schema together with configured mappings;
so far only the core, standard SCIM schema import was supported there.
Additionally Java 21 is supported as a runtime platform. This means
Unity 3.15.1 can be run on Java 11, 17 and 21. Support for Java 11 will
be dropped in upcoming Unity 4.
More details and all necessary links are available at
https://unity-idm.eu/releases/release-3-15-1/
Best regards,
Krzysztof
|
|
From: Roman K. <ro...@un...> - 2024-03-11 11:48:42
|
Hi Sander, We took a closer look at the "checking the JTI against it's internal database" topic. In general we do not see this as a potential vulnerability, or at least the same as guessing the access token itself. This could indeed be a problem if the JTI is exposed e.g. in logs OR in case users in possession of JTI should have privileges to query user info. We do see however a room for improvement, where Unity could validate if the jwt token as a whole, is the same as the one published by Unity. I'll open an enhancement ticket to cover that. Best, Roman czw., 7 mar 2024 o 12:11 Krzysztof Benedyczak <kb...@un...> napisał(a): > Hi Sander, > > W dniu 6.03.2024 o 13:05, Sander Apweiler pisze: > > Hi Kryzsztof, hi Roman, > > > > we got the hint from one of our connected clients that unity does not > > check the client secret in the authentication flow. This would be a > > huge security issue. The client is a confidential client with optional > > PKCE. The operators told us unity is not checking the secret even if > > they disable PKCE for it. Is there any scenario where unity does not > > check the client secrets in the requests? > > Yes, I can confirm that. A regression introduced when adding support for > PKCE for confidential clients. > > We will release a fixed version ASAP. > > > > I know i past we had some issues with missing basic auth header or > > passwords containing special character, which were not proper encoded > > and unity did not accept their requests. > > > > Another issue which was also re-opened was checking the token signature > > at the userinfo endpoint. In Mai 2022 Roman said unity is only checking > > the JTI against it's internal database and using the information from > > that but not further checking the send token. Here we got the question > > if there was an update of this behaviour. > > I don't think so, but I'll let Roman to answer. > > Best, > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Krzysztof B. <kb...@un...> - 2024-03-07 11:11:24
|
Hi Sander, W dniu 6.03.2024 o 13:05, Sander Apweiler pisze: > Hi Kryzsztof, hi Roman, > > we got the hint from one of our connected clients that unity does not > check the client secret in the authentication flow. This would be a > huge security issue. The client is a confidential client with optional > PKCE. The operators told us unity is not checking the secret even if > they disable PKCE for it. Is there any scenario where unity does not > check the client secrets in the requests? Yes, I can confirm that. A regression introduced when adding support for PKCE for confidential clients. We will release a fixed version ASAP. > I know i past we had some issues with missing basic auth header or > passwords containing special character, which were not proper encoded > and unity did not accept their requests. > > Another issue which was also re-opened was checking the token signature > at the userinfo endpoint. In Mai 2022 Roman said unity is only checking > the JTI against it's internal database and using the information from > that but not further checking the send token. Here we got the question > if there was an update of this behaviour. I don't think so, but I'll let Roman to answer. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-03-06 12:06:17
|
Hi Kryzsztof, hi Roman, we got the hint from one of our connected clients that unity does not check the client secret in the authentication flow. This would be a huge security issue. The client is a confidential client with optional PKCE. The operators told us unity is not checking the secret even if they disable PKCE for it. Is there any scenario where unity does not check the client secrets in the requests? I know i past we had some issues with missing basic auth header or passwords containing special character, which were not proper encoded and unity did not accept their requests. Another issue which was also re-opened was checking the token signature at the userinfo endpoint. In Mai 2022 Roman said unity is only checking the JTI against it's internal database and using the information from that but not further checking the send token. Here we got the question if there was an update of this behaviour. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-02-12 15:28:30
|
Hi Sander, W dniu 2.02.2024 o 11:37, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > a few month ago we contact you because of the long time to load content > in unity. At some of this you made some fixes and it is working faster. > But some are still worse. Accepting an invitation does take several > minutes or end up in time outs. We did not yet update to 3.15. which > could make it better. Unfortunately I wouldn't expect improvements in 3.15 for invitations acceptance part. AFAIR this aspect was not investigated from performance standpoint so far. Can you please provide some details on that? This is certainly something what should be both possible and hopefully easy to fix, we just need a way to reproduce and understand the problem. Any detail will be useful: 1. structure & size of directory 2. what form? (enqury/reg?) what invitation? > Switching in Console Endpoints tokes several minutes. Might the size of > our userbase (25k accounts, 100 groups, 37 attribute statements) cause > some of this delays? Hmm. You mean switching groups in Console -> directory or something different? In general this can be slow, but rather not "several minutes" on such setup, but rather "up to a minute". For comparison: with a similar size of data base (of course not precisely, just a range) switch to show a '/' group on my instance takes below 5 seconds. We have plans to address this scalability problems, maybe one of the priorities after we release v4. But that's bigger change. So "several minutes" in this context sounds bad (some DB problems? very slow machine? running at the edge of free memory? or some performance bug related to some completely other aspect of your setup than number of users). Can you please clarify if we talk about switching groups or something else? And if yes - enable debug/trace for some time in not busy hours and see what are the performance stats when chaining the group? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-02-02 10:37:27
|
Hi Krzysztof, hi Roman, a few month ago we contact you because of the long time to load content in unity. At some of this you made some fixes and it is working faster. But some are still worse. Accepting an invitation does take several minutes or end up in time outs. We did not yet update to 3.15. which could make it better. Switching in Console Endpoints tokes several minutes. Might the size of our userbase (25k accounts, 100 groups, 37 attribute statements) cause some of this delays? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2024-01-26 06:30:57
|
Good morning Krzysztof, thanks for the feedback. Best regards, Sander On Thu, 2024-01-25 at 17:56 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 23.01.2024 o 10:02, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > since PKCE is recommended for confidential clients as well, I > > wonder if > > unity supports this for confidential clients, too? > > That was never tested a lot but should work. It is only not possible > to > enforce PKCE for confidential clients: it is opt in. However, if > during > the first OAuth stage (authzCode) PKCE code challenge i used, PKCE > will > be enforced later on. > > Best, > Krzysztof > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2024-01-26 06:30:14
|
Good morning Krzysztof, yes this is right. In this case the users used the link of a invitation, selected the homorganisation, authenticated there, came back to unity and got the error displayed. In the log files I saw all attributes were send by the home organisation. Instead of showing the form and only asking for the acceptance pof policies, the error was shown. Best regards, Sander On Thu, 2024-01-25 at 17:58 +0100, Krzysztof Benedyczak wrote: > W dniu 25.01.2024 o 08:02, Sander Apweiler pisze: > > Dear Krzysztof, > > dear Roman, > > > > We encountered a problem in the user registration. If the IdP > > provides > > all mandatory information, the form is not shown and the user can > > not > > accept the mandatory policies. Instead only the "Form error > > Mandatory > > policy agreement is not accepted" error message. > > > > Is this is the intended behaviour? > > No, of course not. We will try to replicate that and fix. > > Just to ensure I understand the flow: you are using a reg form with > remote registration method, after returning from the remote IdP it is > expected that Unity will show the form merely to ask about policy > acceptance, and here we have the issue. Is it about right? > > Thanks for the heads up, > Krzysztof > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-01-25 16:58:57
|
W dniu 25.01.2024 o 08:02, Sander Apweiler pisze: > Dear Krzysztof, > dear Roman, > > We encountered a problem in the user registration. If the IdP provides > all mandatory information, the form is not shown and the user can not > accept the mandatory policies. Instead only the "Form error Mandatory > policy agreement is not accepted" error message. > > Is this is the intended behaviour? No, of course not. We will try to replicate that and fix. Just to ensure I understand the flow: you are using a reg form with remote registration method, after returning from the remote IdP it is expected that Unity will show the form merely to ask about policy acceptance, and here we have the issue. Is it about right? Thanks for the heads up, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2024-01-25 16:56:27
|
Hi Sander, W dniu 23.01.2024 o 10:02, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > > since PKCE is recommended for confidential clients as well, I wonder if > unity supports this for confidential clients, too? That was never tested a lot but should work. It is only not possible to enforce PKCE for confidential clients: it is opt in. However, if during the first OAuth stage (authzCode) PKCE code challenge i used, PKCE will be enforced later on. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-01-25 07:02:30
|
Dear Krzysztof, dear Roman, We encountered a problem in the user registration. If the IdP provides all mandatory information, the form is not shown and the user can not accept the mandatory policies. Instead only the "Form error Mandatory policy agreement is not accepted" error message. Is this is the intended behaviour? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2024-01-23 09:02:27
|
Good morning Krzysztof, good morning Roman, since PKCE is recommended for confidential clients as well, I wonder if unity supports this for confidential clients, too? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-01-10 13:52:46
|
Hi Sander, W dniu 9.01.2024 o 14:21, Sander Apweiler pisze: > Hi Krzyzstof, > hi Roman, > > we are trying to add Splunk as a SP using SAML. Splunk shows an error > about missing NotBefore field in assertion. Investigating the assertion > confirms this. NotBefore is missing but NotOnOrAfter is present. Is > this just an error in our configuration or does unity not send the > NotBefore? AFAIR we don't set NotBefore - this is an optional attribute. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-01-09 13:21:22
|
Hi Krzyzstof, hi Roman, we are trying to add Splunk as a SP using SAML. Splunk shows an error about missing NotBefore field in assertion. Investigating the assertion confirms this. NotBefore is missing but NotOnOrAfter is present. Is this just an error in our configuration or does unity not send the NotBefore? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2024-01-08 11:14:14
|
Hi Sander, W dniu 4.01.2024 o 08:53, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > We encountered a problem in SCIM import. When we want to import our > exported schema from December, unity shows an "Unrecognized fileId > type" error. I'm not sure what causes the problem, but the schema was > working. So we have the following situation that there are 2 file formats in here: 1. SCIM schema (standard one) 2. Unity schema configuration, including the schema and its mapping onto Unity directory. The "Import" action in console only supports #1. At the same time the "export" option in console there produces #2. Files #2 with schema and its mapping can be used when configuring endpoint from a file: unity.endpoint.scim.schemasFile.1=... The export of #2 was added at the end and indeed we haven't caught that now it is asymmetric and not intuitive. We should be able to fix that by supporting the import from console of both formats. Anyway for now the file you have needs to be loaded through endpoint's configuration. HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2024-01-04 08:35:35
|
Good morning Krzysztof, good morning Roman, happy new year, too! Yes this helps and should be no problem for our use-case. I need to adopt my testing case, only. Best regards, Sander On Tue, 2024-01-02 at 11:28 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 21.12.2023 o 14:23, Sander Apweiler pisze: > > Hi Bernd, > > in this case I got missing HTTP Basic Auth Header errors. > > I just noticed that we miss one important aspect of authN in case of > accessing SCIM with OAuth token in the docs: as it was requested, > access > using the OAuth token also requires client's authN. I.e. you need to > provided 2 authorizations: both client's credential and the token. > > Naturally we can develop a simpler variant (configurable on the > endpoint) but as of now this is the only option. We will improve the > docs. > > So in order to authenticate you need to provided both Basic authN > header > (with OAuth client's credentials, the same as were used to obtain > access > token) and Bearer header with the OAuth access token. > > Hope that helps, and happy new year! > Krzysztof > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2024-01-04 07:53:17
|
Good morning Krzysztof, good morning Roman, We encountered a problem in SCIM import. When we want to import our exported schema from December, unity shows an "Unrecognized fileId type" error. I'm not sure what causes the problem, but the schema was working. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
