unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Unity 4 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

It took significantly more than we hoped, but finally it's arrived: the 
4th major version of Unity was released yesterday.

Unity 4 introduces a completely new, fully rewritten web User Interface 
using modern technologies.

This is a significant technical step forward for the application, 
allowing us to enhance the user experience with lightweight widgets and 
improve compatibility with various browser plugins and tools.

The change in web technology also requires adaptation of branding and UI 
customizations. See the update instructions in the Unity Manual for 
details.

Besides technology and look and feel updates, Unity 4 also brings many 
other changes:

  * HomeUI has been generally refreshed. User credentials management is
    now more user-friendly. HomeUI also has a more lightweight design,
    making it easier to customize, brand, and embed.
  * The minimum Java version is now 17.
  * The UNICORE endpoint was removed since it is no longer needed by
    newer UNICORE versions.
  * The demo CA and server certificate have been updated.

All relevant links are available here: 
https://unity-idm.eu/releases/release-4-0-0/


Best,
Krzysztof

Re: [Unity-idm-discuss] Ghostery adblocker breakes unity

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 27.06.2024 o 13:19, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> due to some issue we recognized that Ghostery adblocker breaks unity.
> In one case the user was in a loop at the WAYF-service and upstream
> login. After the successful login at the organisation, unity showed the
> WAYF-service without preselected IdP.
> In the second case unity did not show the checkbox and Text of policy
> update enquiry.
> It seems that this issues came up with the last update of Ghostery.
>
I think this will be fine in Unity 4.

Best,
Krzysztof Benedyczak

[Unity-idm-discuss] removeStaleData does not remove attribute

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
we are testing the removeStaleData action in input translation profile.
It seems that this only removes the attribute value but not the
attribute itself. After setting the attribute to an empty string in the
external OP, I got an error about Attribute must have at least 1
values.

The condition for the mapAttribute rule is attrs['attr_name'] != null
&& attr['attr_name'] != '', which woirks fine without the
removeStaleData rule.

Is the behaviour intended that uniy deletes only the attriobute value
but not the attribute, if it is empty?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] OAuth authgenticator for SCIM API

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 25.06.2024 o 12:48, Sander Apweiler pisze:
> Hi Krzysztof,
> I spend some further time to set up the SCIM API using tokens. I
> created an authenticator for verifying local tokens (config in
> screenshot). But when I try to qquery the API using this command
>
> curlhttps://login-dev.helmholtz.de/scim/Me  -H "Authorization: Bearer
> $TOKEN" -H "Authorization: Basic $CLIENT"
>
> I got:
> {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":403
> ,"detail":"Forbidden"} as response and the log shows
>
> DEBUG unity.server.scim.EngineExceptionMapper: Access denied for SCIM
> API client
> pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
> name, credential or external authentication failed.
>
> The client which requested the token is the same like the one who calls
> the SCIM API. It also requested the scope sys:scim:read_profile to be
> able to query the SCIM API.
>
> Did I miss something?


Can you try:

curl https://login-dev.helmholtz.de/scim/Me 
<https://login-dev.helmholtz.de/scim/Me>-H "Authorization: Basic 
$CLIENT,Bearer $TOKEN"

?

If it still doesn't work, please provide server logs from 
authentication, at least on debug and perfectly on TRACE level.

HTH,
Krzysztof

[Unity-idm-discuss] Ghostery adblocker breakes unity

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

due to some issue we recognized that Ghostery adblocker breaks unity.
In one case the user was in a loop at the WAYF-service and upstream
login. After the successful login at the organisation, unity showed the
WAYF-service without preselected IdP.
In the second case unity did not show the checkbox and Text of policy
update enquiry.
It seems that this issues came up with the last update of Ghostery.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] OAuth authgenticator for SCIM API

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I spend some further time to set up the SCIM API using tokens. I
created an authenticator for verifying local tokens (config in
screenshot). But when I try to qquery the API using this command

curl https://login-dev.helmholtz.de/scim/Me -H "Authorization: Bearer
$TOKEN" -H "Authorization: Basic $CLIENT"

I got:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":403
,"detail":"Forbidden"} as response and the log shows

DEBUG unity.server.scim.EngineExceptionMapper: Access denied for SCIM
API client
pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user
name, credential or external authentication failed.

The client which requested the token is the same like the one who calls
the SCIM API. It also requested the scope sys:scim:read_profile to be
able to query the SCIM API.

Did I miss something?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] show IdP with hide from discovery

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks. It's working now.

Best regards,
Sander


On Sat, 2024-06-22 at 11:49 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 20.06.2024 o 08:31, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > 
> > is there a way to display an IdP in unity which sets hide from
> > discovery in its metadata?
> 
> It is not possible to turn off (and in particular selectively) hiding
> from discovery.
> 
> But naturally you can configure this IdP as an individually trusted
> IdP, 
> next to the federation (by pasting the values from the metadata
> record). 
> It will look seamless from user PoV.
> 
> HTH,
> Krzysztof
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] show IdP with hide from discovery

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.06.2024 o 08:31, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
>
> is there a way to display an IdP in unity which sets hide from
> discovery in its metadata?

It is not possible to turn off (and in particular selectively) hiding 
from discovery.

But naturally you can configure this IdP as an individually trusted IdP, 
next to the federation (by pasting the values from the metadata record). 
It will look seamless from user PoV.

HTH,
Krzysztof

[Unity-idm-discuss] Unity 3.16.1 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers

Unity 3.15.1 was published today.

This release includes the following improvements:

  * proper error code is returned when prompt=none and consent is required
  * OIDC metadata includes x5c attribute with certificate chain used to
    sign tokens


See https://unity-idm.eu/releases/release-3-16-1/ for all relevant links.

Best regards,
Krzysztof

[Unity-idm-discuss] show IdP with hide from discovery

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,

is there a way to display an IdP in unity which sets hide from
discovery in its metadata? 

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc

[Roman K. <ro...@un...>]

Hi Sander,

Sorry to be long in my replay

I see your point, I have opened a ticket to correct the error coming from
oauth IdP as suggested.

Best regards,
Roman

czw., 16 maj 2024 o 12:20 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Roman,
> I think not. They want to test if the user has a running session at
> unity. The token might not been revoked, if the session was closed. Or
> does unity invalidate all tokens, created in the session, if the user
> logs out?
>
> Best regards,
> Sander
>
>
> On Thu, 2024-05-16 at 12:12 +0200, Roman Krysiński wrote:
> > Good morning Sander,
> >
> > One way of solving this problem, which Unity already supports, is to
> > use tokeninfo endpoint.
> > It does not extend the token validity, and provides information about
> > its expiration.
> >
> > Would that work?
> >
> > Best regards,
> > Roman
> >
> >
> >
> > czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...>
> > napisał(a):
> > > Good morning Krzystzof,
> > > good morning Roman,
> > >
> > > we have a client which want to check if the user has still a
> > > running
> > > session in unity and end the session in the service, if there is no
> > > session in unity anymore. They are using a normal oidc flow with
> > > prompt=none and it works fine if the user stored the consent, but
> > > if
> > > not unity sends Unexpected server error. Since OIDC  already
> > > defined
> > > the error "consent_required", it would be much more comfortable for
> > > the
> > > service and in the end for the user, if unity would send this error
> > > message. What do you think?
> > >
> > > I added you some details from the service operator below.
> > >
> > >
> > > We do a regular OIDC flow and after a while we trigger another flow
> > > with
> > > prompt=none to validate the user is still active and authenticated:
> > >
> > > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz
> > > ?response_type=code
> > > &client_id=OUR_CLIENT
> > > &redirect_uri=OUR_URI
> > > &prompt=none
> > > &nonce=NONCE
> > > &code_challenge=CODE_CHALLENGE
> > > &code_challenge_method=S256
> > >
> > >
> > > If the user did not tick the 'remember my decision' box, then they
> > > get
> > > redirected with:
> > >
> > > https://OUR_HOSTNAME/oidc/callback/
> > > ?error=server_error
> > > &error_description=Unexpected+server+error&state=STATE
> > >
> > >
> > > Unity log:
> > >
> > > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is
> > > required
> > > but 'none' prompt was given
> > >
> > >
> > > Returning an error seems to be the correct behaviour here
> > > (https://openid.net/specs/openid-connect-core-1_0.html).
> > > Returning e.g. consent_required
> > > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError)
> > > instead of the generic server_error as suggested in the
> > > specification,
> > > could help us display a useful error message to the user. Since
> > > Unity's
> > > log already displays this as a specific error this is hopefully not
> > > too
> > > difficult to implement.
> > >
> > >
> > > We're using mozilla-django OIDC:
> > >
> > >
> https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them
> > >
> > >
> https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147
> > >
> > >
> > > Best regards,
> > > Sander
> > >
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] Adding certificate in JWK endpoint

[Roman K. <ro...@un...>]

Hi Sander,

This work has been ticketed but there is no timeline for it yet.

Best regards,
Roman

śr., 15 maj 2024 o 08:46 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysztof,
> was this added in meantime or is it planned to be added?
>
> Best regards,
> Sander
>
> On Fri, 2023-10-27 at 09:16 +0200, Krzysztof Benedyczak wrote:
> > Hi Sander,
> >
> > W dniu 27.10.2023 o 07:14, Sander Apweiler pisze:
> > > Hello Krzysztof,
> > > hello Roman,
> > >
> > > one of our connected clients is using Ceph as storage backend and
> > > it
> > > requires the certificate which was used to sign the token.
> > > According to
> > >
> https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
> > > and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
> > > certificates can be added as optional x5c attribute.
> > > Since I didn't find anything in the manual and nothing endpoint
> > > configuration, I assume it is not (yet) possible. Can you correct
> > > me if
> > > I'm wrong or give your thought about possible extension?
> > >
> > Yes, Unity only puts bare keys in oidc metadata.
> >
> > Yes, enhancement to also add a full certificate looks fine.
> >
> > Best,
> > Krzysztof
> >
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc

[Sander A. <sa....@fz...>]

Dear Roman,
I think not. They want to test if the user has a running session at
unity. The token might not been revoked, if the session was closed. Or
does unity invalidate all tokens, created in the session, if the user
logs out?

Best regards,
Sander


On Thu, 2024-05-16 at 12:12 +0200, Roman Krysiński wrote:
> Good morning Sander,
> 
> One way of solving this problem, which Unity already supports, is to
> use tokeninfo endpoint.
> It does not extend the token validity, and provides information about
> its expiration.
> 
> Would that work?
> 
> Best regards,
> Roman
> 
> 
> 
> czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Good morning Krzystzof,
> > good morning Roman,
> > 
> > we have a client which want to check if the user has still a
> > running
> > session in unity and end the session in the service, if there is no
> > session in unity anymore. They are using a normal oidc flow with
> > prompt=none and it works fine if the user stored the consent, but
> > if
> > not unity sends Unexpected server error. Since OIDC  already
> > defined
> > the error "consent_required", it would be much more comfortable for
> > the
> > service and in the end for the user, if unity would send this error
> > message. What do you think?
> > 
> > I added you some details from the service operator below.
> > 
> > 
> > We do a regular OIDC flow and after a while we trigger another flow
> > with
> > prompt=none to validate the user is still active and authenticated:
> > 
> > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz
> > ?response_type=code
> > &client_id=OUR_CLIENT
> > &redirect_uri=OUR_URI
> > &prompt=none
> > &nonce=NONCE
> > &code_challenge=CODE_CHALLENGE
> > &code_challenge_method=S256
> > 
> > 
> > If the user did not tick the 'remember my decision' box, then they
> > get
> > redirected with:
> > 
> > https://OUR_HOSTNAME/oidc/callback/
> > ?error=server_error
> > &error_description=Unexpected+server+error&state=STATE
> > 
> > 
> > Unity log:
> > 
> > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is
> > required
> > but 'none' prompt was given
> > 
> > 
> > Returning an error seems to be the correct behaviour here
> > (https://openid.net/specs/openid-connect-core-1_0.html).
> > Returning e.g. consent_required
> > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError)
> > instead of the generic server_error as suggested in the
> > specification,
> > could help us display a useful error message to the user. Since
> > Unity's
> > log already displays this as a specific error this is hopefully not
> > too
> > difficult to implement.
> > 
> > 
> > We're using mozilla-django OIDC:
> > 
> > https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them
> > 
> > https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147
> > 
> > 
> > Best regards,
> > Sander
> > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc

[Roman K. <ro...@un...>]

Good morning Sander,

One way of solving this problem, which Unity already supports, is to use
tokeninfo endpoint.
It does not extend the token validity, and provides information about its
expiration.

Would that work?

Best regards,
Roman



czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...>
napisał(a):

> Good morning Krzystzof,
> good morning Roman,
>
> we have a client which want to check if the user has still a running
> session in unity and end the session in the service, if there is no
> session in unity anymore. They are using a normal oidc flow with
> prompt=none and it works fine if the user stored the consent, but if
> not unity sends Unexpected server error. Since OIDC  already defined
> the error "consent_required", it would be much more comfortable for the
> service and in the end for the user, if unity would send this error
> message. What do you think?
>
> I added you some details from the service operator below.
>
>
> We do a regular OIDC flow and after a while we trigger another flow
> with
> prompt=none to validate the user is still active and authenticated:
>
> https://login-dev.helmholtz.de/oauth2-as/oauth2-authz
> ?response_type=code
> &client_id=OUR_CLIENT
> &redirect_uri=OUR_URI
> &prompt=none
> &nonce=NONCE
> &code_challenge=CODE_CHALLENGE
> &code_challenge_method=S256
>
>
> If the user did not tick the 'remember my decision' box, then they get
> redirected with:
>
> https://OUR_HOSTNAME/oidc/callback/
> ?error=server_error
> &error_description=Unexpected+server+error&state=STATE
>
>
> Unity log:
>
> ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required
> but 'none' prompt was given
>
>
> Returning an error seems to be the correct behaviour here
> (https://openid.net/specs/openid-connect-core-1_0.html).
> Returning e.g. consent_required
> (https://openid.net/specs/openid-connect-core-1_0.html#AuthError)
> instead of the generic server_error as suggested in the specification,
> could help us display a useful error message to the user. Since Unity's
> log already displays this as a specific error this is hopefully not too
> difficult to implement.
>
>
> We're using mozilla-django OIDC:
>
>
> https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them
>
>
> https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147
>
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Enhancement in error message for re-authentication using oidc

[Sander A. <sa....@fz...>]

Good morning Krzystzof,
good morning Roman,

we have a client which want to check if the user has still a running
session in unity and end the session in the service, if there is no
session in unity anymore. They are using a normal oidc flow with
prompt=none and it works fine if the user stored the consent, but if
not unity sends Unexpected server error. Since OIDC  already defined
the error "consent_required", it would be much more comfortable for the
service and in the end for the user, if unity would send this error
message. What do you think?

I added you some details from the service operator below.


We do a regular OIDC flow and after a while we trigger another flow
with
prompt=none to validate the user is still active and authenticated:

https://login-dev.helmholtz.de/oauth2-as/oauth2-authz
?response_type=code
&client_id=OUR_CLIENT
&redirect_uri=OUR_URI
&prompt=none
&nonce=NONCE
&code_challenge=CODE_CHALLENGE
&code_challenge_method=S256


If the user did not tick the 'remember my decision' box, then they get
redirected with:

https://OUR_HOSTNAME/oidc/callback/
?error=server_error
&error_description=Unexpected+server+error&state=STATE


Unity log:

ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required
but 'none' prompt was given


Returning an error seems to be the correct behaviour here
(https://openid.net/specs/openid-connect-core-1_0.html).
Returning e.g. consent_required
(https://openid.net/specs/openid-connect-core-1_0.html#AuthError)
instead of the generic server_error as suggested in the specification,
could help us display a useful error message to the user. Since Unity's
log already displays this as a specific error this is hopefully not too
difficult to implement.


We're using mozilla-django OIDC:

https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them

https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147


Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Adding certificate in JWK endpoint

[Sander A. <sa....@fz...>]

Hi Krzysztof,
was this added in meantime or is it planned to be added?

Best regards,
Sander

On Fri, 2023-10-27 at 09:16 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 27.10.2023 o 07:14, Sander Apweiler pisze:
> > Hello Krzysztof,
> > hello Roman,
> > 
> > one of our connected clients is using Ceph as storage backend and
> > it
> > requires the certificate which was used to sign the token.
> > According to
> > https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
> > and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
> > certificates can be added as optional x5c attribute.
> > Since I didn't find anything in the manual and nothing endpoint
> > configuration, I assume it is not (yet) possible. Can you correct
> > me if
> > I'm wrong or give your thought about possible extension?
> > 
> Yes, Unity only puts bare keys in oidc metadata.
> 
> Yes, enhancement to also add a full certificate looks fine.
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.16.0 released

[Krzysztof B. <kb...@un...>]

Dead Subscribers,

I'm happy to announce a bit unexpected, 3.16.0 release. While our 4.0.0 
major release gets delayed, we wanted to publish couple of recent 
improvements still on the 3.x branch, and then focus on fixing the 
remaining issues with 4.0.0. Unity 4 is expected soon, however we still 
polish the rewritten UI. Our hope is to release it in May.


      Release Highlights

The 3.16.0 release is brings several notable improvements:

  * It is possible to create dynamic policies, activating 2FA. Exposed
    as a new policy in Authentication Flow configuration. Dynamic MVEL
    based rule can take decision basing on user’s attributes, 1st factor
    used and other information.
  * SAML IdP can be configured to return the NotBefore constraint
  * SAML authenticator can filter trusted federation IdPs basing on
    their attributes set in metadata
  * Authentication Context Reference obtained from upstream OAuth and
    SAML IdPs is preserved and exposed for use in output profile as well
    as available in dynamic MFA activation policy. This allows for
    forwarding this information to Unity relying parties as well as
    ensuring MFA is not repeated, if was already performed by upstream IdP.
  * Several performance optimizations were applied:
      o fixed problem with slow loading of Requests view in Console, in
        case of many user enquiry responses
      o when entering console the root group is not automatically
        selected in Groups Browser.
      o there are small optimizations in bulk query API, improving some
        of the Unity operations spanning whole users directory.
      o indexes were added to the tokens DB table


      Migration consideration

MySQL users shall ensure that permissions to create procedures are 
granted to the Unity DB user. See Update instructions in the manual for 
details, if you are on this DB.


Best regards,
Krzysztof

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
sorry for the confusion. The problem appears if the confidential
clients are using PKCE. For confidential clients which never used PKCE
everything is fine. We had just one client which reported the error
occurred independent if they are using PKCE or not. But I'm not sure if
they really disabled PKCE.

About your requests:
1. I try to generate them as soon as possible. For the moment we went
back to 3.15.0. But we will create the logs on our dev system.

2. - 4. Please find the screenshots attached.

If something is missing, please let me know.

Best regards,
Sander


On Mon, 2024-03-18 at 13:22 +0100, Krzysztof Benedyczak wrote:
>  
> Hi Sander,
>  
> 
>  
>  
> W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
>  
>  
> >  
> > Hi Krzysztof,
> > thanks for the fast fix. After we deployed the new version and test
> > with the confidential client using PKCE. The client get only 
> > 
> > status: 401, body:
> > {"error":"invalid_client","error_description":"Client
> > authentication failed; not authenticated"})
> > 
> > using PKCE or not. Other applications, which did not use PKCE are
> > working well. In log files I see only:
> > 
> > 
> > 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> > unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> > request to URL /oauth2/token
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using flow pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using authenticator pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Not defined credential
> > for pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Request to an address
> > with optional authentication - /oauth2/token - invocation will
> > proceed without authentication
> > 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> > unity.server.oauth.BaseOAuthResource: Retuning OAuth error
> > response: invalid_client: Client authentication failed; not
> > authenticated
> > 
> > Checking the client, the credential is well defined and login on
> > userhome works. The password does not contain any character, ehich
> > may
> > cause trouble in encoding. Do you have any idea what causes this
> > issue?
> >  
>  
> 
>  
>  
> First of all I'm confused by your case description. You wrote that "
>  
>  
> test with the confidential client using PKCE. [there is a problem]
> using PKCE or not. Other applications, which did not use PKCE are
> working well.
> 
>  
> So what is the situation? Only clients which try to perform PKCE are
> failing with this error or all or?
>  
> 
>  
>  
> To speed up the investigation, besides explaining the scenario,
> please also:
>  
> 1. enable TRACE logging on 2 facilities: unity.server.rest and
> unity.server.authn, run the test and provide the logs.
>  
> 2. please provide (e.g. a screenshot) configuration of Clients tab of
> your OAuth IdP/AS. I'm interested in enabled authenticators/flows.
>  
> 3. please provide details of defined credentials per your client's
> entity (can be from "Show details").
>  
> 4. complete configuration of the endpoint would be helpful too (more
> "just in case").
>  
> Best,
>  Krzysztof
>  
>  
> 
>  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only
>
> status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})
>
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
>
>
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated
>
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich may
> cause trouble in encoding. Do you have any idea what causes this issue?


First of all I'm confused by your case description. You wrote that "

test with the confidential client*using PKCE*. [there is a problem]*using PKCE or not*. Other applications, which*did not use PKCE*  are
working well.

So what is the situation? Only clients which try to perform PKCE are 
failing with this error or all or?


To speed up the investigation, besides explaining the scenario, please also:

1. enable TRACE logging on 2 facilities: unity.server.rest and 
unity.server.authn, run the test and provide the logs.

2. please provide (e.g. a screenshot) configuration of Clients tab of 
your OAuth IdP/AS. I'm interested in enabled authenticators/flows.

3. please provide details of defined credentials per your client's 
entity (can be from "Show details").

4. complete configuration of the endpoint would be helpful too (more 
"just in case").

Best,
Krzysztof

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
this topic became very urgent because we have much more services
failing right now. We were not aware about so many services usinge PKCE
as confidential client. Do you have already any idea?

Best regards,
Sander

On Fri, 2024-03-15 at 13:26 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only 
> 
> status: 401, body:
> {"error":"invalid_client","error_description":"Client authentication
> failed; not authenticated"})
> 
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
> 
> 
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Not defined credential
> for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Request to an address
> with optional authentication - /oauth2/token - invocation will
> proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> unity.server.oauth.BaseOAuthResource: Retuning OAuth error response:
> invalid_client: Client authentication failed; not authenticated
> 
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich
> may
> cause trouble in encoding. Do you have any idea what causes this
> issue?
> 
> Best regards,
> Sander
> 
> On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> > Hi Sander,
> > 
> > W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > > Hi Kryzsztof, hi Roman,
> > > 
> > > we got the hint from one of our connected clients that unity does
> > > not
> > > check the client secret in the authentication flow. This would be
> > > a
> > > huge security issue. The client is a confidential client with
> > > optional
> > > PKCE. The operators told us unity is not checking the secret even
> > > if
> > > they disable PKCE for it. Is there any scenario where unity does
> > > not
> > > check the client secrets in the requests?
> > 
> > Yes, I can confirm that. A regression introduced when adding
> > support
> > for 
> > PKCE for confidential clients.
> > 
> > We will release a fixed version ASAP.
> > 
> > 
> > > I know i past we had some issues with missing basic auth header
> > > or
> > > passwords containing special character, which were not proper
> > > encoded
> > > and unity did not accept their requests.
> > > 
> > > Another issue which was also re-opened was checking the token
> > > signature
> > > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > > checking
> > > the JTI against it's internal database and using the information
> > > from
> > > that but not further checking the send token. Here we got the
> > > question
> > > if there was an update of this behaviour.
> > 
> > I don't think so, but I'll let Roman to answer.
> > 
> > Best,
> > Krzysztof
> > 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the fast fix. After we deployed the new version and test
with the confidential client using PKCE. The client get only 

status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})

using PKCE or not. Other applications, which did not use PKCE are
working well. In log files I see only:


2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated

Checking the client, the credential is well defined and login on
userhome works. The password does not contain any character, ehich may
cause trouble in encoding. Do you have any idea what causes this issue?

Best regards,
Sander

On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > Hi Kryzsztof, hi Roman,
> > 
> > we got the hint from one of our connected clients that unity does
> > not
> > check the client secret in the authentication flow. This would be a
> > huge security issue. The client is a confidential client with
> > optional
> > PKCE. The operators told us unity is not checking the secret even
> > if
> > they disable PKCE for it. Is there any scenario where unity does
> > not
> > check the client secrets in the requests?
> 
> Yes, I can confirm that. A regression introduced when adding support
> for 
> PKCE for confidential clients.
> 
> We will release a fixed version ASAP.
> 
> 
> > I know i past we had some issues with missing basic auth header or
> > passwords containing special character, which were not proper
> > encoded
> > and unity did not accept their requests.
> > 
> > Another issue which was also re-opened was checking the token
> > signature
> > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > checking
> > the JTI against it's internal database and using the information
> > from
> > that but not further checking the send token. Here we got the
> > question
> > if there was an update of this behaviour.
> 
> I don't think so, but I'll let Roman to answer.
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.15.1 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers

Unity 3.15.1 was published today.

This release includes fixes for the following problems:

  * regression causing that OAuth confidential client credential was not
    always deemed mandatory
  * mixing up separators and headers defined on a sign-in page of a
    service/IdP edited in Console
  * not shown policy agreements after remote registration, if only the
    agreements were supposed to be shown
  * SCIM endpoint configuration in Console allows now for importing a
    previously exported Unity schema together with configured mappings;
    so far only the core, standard SCIM schema import was supported there.

Additionally Java 21 is supported as a runtime platform. This means 
Unity 3.15.1 can be run on Java 11, 17 and 21. Support for Java 11 will 
be dropped in upcoming Unity 4.

More details and all necessary links are available at 
https://unity-idm.eu/releases/release-3-15-1/

Best regards,
Krzysztof

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Roman K. <ro...@un...>]

Hi Sander,

We took a closer look at the "checking the JTI against it's internal
database" topic.
In general we do not see this as a potential vulnerability, or at least the
same as guessing the access token itself.
This could indeed be a problem if the JTI is exposed e.g. in logs OR in
case users in possession of JTI should have privileges to query user info.
We do see however a room for improvement, where Unity could validate if the
jwt token as a whole, is the same as the one published by Unity.
I'll open an enhancement ticket to cover that.

Best,
Roman



czw., 7 mar 2024 o 12:11 Krzysztof Benedyczak <kb...@un...> napisał(a):

> Hi Sander,
>
> W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > Hi Kryzsztof, hi Roman,
> >
> > we got the hint from one of our connected clients that unity does not
> > check the client secret in the authentication flow. This would be a
> > huge security issue. The client is a confidential client with optional
> > PKCE. The operators told us unity is not checking the secret even if
> > they disable PKCE for it. Is there any scenario where unity does not
> > check the client secrets in the requests?
>
> Yes, I can confirm that. A regression introduced when adding support for
> PKCE for confidential clients.
>
> We will release a fixed version ASAP.
>
>
> > I know i past we had some issues with missing basic auth header or
> > passwords containing special character, which were not proper encoded
> > and unity did not accept their requests.
> >
> > Another issue which was also re-opened was checking the token signature
> > at the userinfo endpoint. In Mai 2022 Roman said unity is only checking
> > the JTI against it's internal database and using the information from
> > that but not further checking the send token. Here we got the question
> > if there was an update of this behaviour.
>
> I don't think so, but I'll let Roman to answer.
>
> Best,
> Krzysztof
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> Hi Kryzsztof, hi Roman,
>
> we got the hint from one of our connected clients that unity does not
> check the client secret in the authentication flow. This would be a
> huge security issue. The client is a confidential client with optional
> PKCE. The operators told us unity is not checking the secret even if
> they disable PKCE for it. Is there any scenario where unity does not
> check the client secrets in the requests?

Yes, I can confirm that. A regression introduced when adding support for 
PKCE for confidential clients.

We will release a fixed version ASAP.


> I know i past we had some issues with missing basic auth header or
> passwords containing special character, which were not proper encoded
> and unity did not accept their requests.
>
> Another issue which was also re-opened was checking the token signature
> at the userinfo endpoint. In Mai 2022 Roman said unity is only checking
> the JTI against it's internal database and using the information from
> that but not further checking the send token. Here we got the question
> if there was an update of this behaviour.

I don't think so, but I'll let Roman to answer.

Best,
Krzysztof

[Unity-idm-discuss] unity is not checking OIDC client sencrets

[Sander A. <sa....@fz...>]

Hi Kryzsztof, hi Roman,

we got the hint from one of our connected clients that unity does not
check the client secret in the authentication flow. This would be a
huge security issue. The client is a confidential client with optional
PKCE. The operators told us unity is not checking the secret even if
they disable PKCE for it. Is there any scenario where unity does not
check the client secrets in the requests?

I know i past we had some issues with missing basic auth header or
passwords containing special character, which were not proper encoded
and unity did not accept their requests.

Another issue which was also re-opened was checking the token signature
at the userinfo endpoint. In Mai 2022 Roman said unity is only checking
the JTI against it's internal database and using the information from
that but not further checking the send token. Here we got the question
if there was an update of this behaviour.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------