Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Laura H. <l....@fz...> - 2023-07-26 11:18:01
|
Hi Krzysztof, we wanted to recreate the error, but it seems to be working now. The application error does not appear anymore. Best regards, Laura Am 26.07.23 um 13:15 schrieb Krzysztof Benedyczak: > Hi Sander, > > Are there any updates on the below topic? > > We have some nice performance improvements prepared, that should help > with your perf-problems, but I'd prefer > to release them only after investigating this issue, which sounds > critical. > > Best, > Krzysztof > > W dniu 19.06.2023 o 11:46, Sander Apweiler pisze: >> Dear Roman, >> not yet since we are quite busy with preparing a summerschool. Maybe >> later next week. >> >> Best regards, >> Sander >> >> On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote: >>> Dear Sander, >>> >>> Are there any news with regards to additional information? >>> >>> Thank you, >>> Roman >>> >>> >>> pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...> >>> napisał(a): >>>> Dear Krzysztof, >>>> we will bring the information as soon as possible. >>>> >>>> Best regards, >>>> Sander >>>> >>>> On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote: >>>>> Dear Laura, Sander, >>>>> >>>>> W dniu 6.06.2023 o 13:19, Laura Hofer pisze: >>>>>> Dear Krzysztof, Dear Roman, >>>>>> >>>>>> we were just about to install unity 3.13.0 and then start >>>>>> testing. >>>>>> To >>>>>> do this, we first switched from unity 3.11.2 to unity 3.12.0, >>>>>> then >>>>>> to >>>>>> 3.13.0. After that, we received an application error message >>>>>> when >>>>>> logging in (see attached screenshot). Unfortunately we could >>>>>> not >>>>>> find >>>>>> any error message in the stack trace, so we switched back to >>>>>> 3.12.0. >>>>>> There we got the same error message at login, but then we could >>>>>> also >>>>>> find an error message in the stack trace. This is also attached >>>>>> as >>>>>> a >>>>>> txt file. >>>>> So we have found the problem in 3.12 causing your error. We can >>>>> fix >>>>> it, >>>>> no problem, however I don't think it makes a lot of sense: it is >>>>> a >>>>> minor >>>>> bug, which will only occur on a database which was run on 3.13, >>>>> and >>>>> then >>>>> used in 3.12. This problem on 3.12 is also for sure 100% not >>>>> related >>>>> to >>>>> the (serious) sign-in problem you observed on 3.13. >>>>> >>>>> That said, to investigate the real issue we need to get back to >>>>> 3.13, >>>>> and diagnose the problem in there. In case of error like in your >>>>> screenshot, you should rather get a stacktrace or at least ERROR >>>>> message >>>>> in log. It is possible we have some omission in logging, but >>>>> unlikely. >>>>> >>>>> Can you please first enable debug logging, then repeat your >>>>> failing >>>>> sign-in on 3.13 and inspect log files one more time (or share it >>>>> with >>>>> us)? We need to find some clues on what is failing. Without >>>>> access to >>>>> your database it will be the only way forward. >>>>> >>>>> Best, >>>>> Krzysztof >>>>> >>>>> > -- Juelich Supercomputing Centre Institute for Advanced Simulation Forschungszentrum Juelich GmbH 52425 Juelich, Germany E-Mail: l....@fz... Phone: +49 2461 61-6576 Fax: +49 2461 61-6656 ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-07-26 11:16:07
|
Hi Sander, Are there any updates on the below topic? We have some nice performance improvements prepared, that should help with your perf-problems, but I'd prefer to release them only after investigating this issue, which sounds critical. Best, Krzysztof W dniu 19.06.2023 o 11:46, Sander Apweiler pisze: > Dear Roman, > not yet since we are quite busy with preparing a summerschool. Maybe > later next week. > > Best regards, > Sander > > On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote: >> Dear Sander, >> >> Are there any news with regards to additional information? >> >> Thank you, >> Roman >> >> >> pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...> >> napisał(a): >>> Dear Krzysztof, >>> we will bring the information as soon as possible. >>> >>> Best regards, >>> Sander >>> >>> On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote: >>>> Dear Laura, Sander, >>>> >>>> W dniu 6.06.2023 o 13:19, Laura Hofer pisze: >>>>> Dear Krzysztof, Dear Roman, >>>>> >>>>> we were just about to install unity 3.13.0 and then start >>>>> testing. >>>>> To >>>>> do this, we first switched from unity 3.11.2 to unity 3.12.0, >>>>> then >>>>> to >>>>> 3.13.0. After that, we received an application error message >>>>> when >>>>> logging in (see attached screenshot). Unfortunately we could >>>>> not >>>>> find >>>>> any error message in the stack trace, so we switched back to >>>>> 3.12.0. >>>>> There we got the same error message at login, but then we could >>>>> also >>>>> find an error message in the stack trace. This is also attached >>>>> as >>>>> a >>>>> txt file. >>>> So we have found the problem in 3.12 causing your error. We can >>>> fix >>>> it, >>>> no problem, however I don't think it makes a lot of sense: it is >>>> a >>>> minor >>>> bug, which will only occur on a database which was run on 3.13, >>>> and >>>> then >>>> used in 3.12. This problem on 3.12 is also for sure 100% not >>>> related >>>> to >>>> the (serious) sign-in problem you observed on 3.13. >>>> >>>> That said, to investigate the real issue we need to get back to >>>> 3.13, >>>> and diagnose the problem in there. In case of error like in your >>>> screenshot, you should rather get a stacktrace or at least ERROR >>>> message >>>> in log. It is possible we have some omission in logging, but >>>> unlikely. >>>> >>>> Can you please first enable debug logging, then repeat your >>>> failing >>>> sign-in on 3.13 and inspect log files one more time (or share it >>>> with >>>> us)? We need to find some clues on what is failing. Without >>>> access to >>>> your database it will be the only way forward. >>>> >>>> Best, >>>> Krzysztof >>>> >>>> |
|
From: Sander A. <sa....@fz...> - 2023-07-17 09:09:36
|
Ok, just read in the manual, that separator is skipped when using other text elements. On Mon, 2023-07-17 at 11:06 +0200, Sander Apweiler wrote: > Hi Krzysztof, > hi Roman, > > we are setting up a new service and while creating the endpoint > layout > we recognized that separators are not shown. Additionally the text > from > _HEADER_H1 and _SEPARATOR_OR are somehow linked. Changing one of the > changes the other one as well. Since we are not using them on other > instance, we do not know if this problem starts with 3.13 or earlier. > > Best regards, > Sander > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-07-17 09:06:36
|
Hi Krzysztof, hi Roman, we are setting up a new service and while creating the endpoint layout we recognized that separators are not shown. Additionally the text from _HEADER_H1 and _SEPARATOR_OR are somehow linked. Changing one of the changes the other one as well. Since we are not using them on other instance, we do not know if this problem starts with 3.13 or earlier. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-07-12 10:39:18
|
Hi Sander, W dniu 6.07.2023 o 12:18, Sander Apweiler pisze: > Hi Krzysztof, > we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity > interacts as proxy. User can sign in with all of them, but using home > IdP can give already access to resources. We can not use the account > linking because the user must lose access to the resources, when they > leave the home organisation. > > We have some services which already want to have the ORCID ID of the > user. Of course we can create an attribute and user needs to enter it > manually during sign up or later in userhome endpoint. But manual steps > offer the option for mistakes. So our question would be if there is a > way to get the ID from ORCID directly, like the sign up using ORCID, > but without account linking. Hmm, I was close to write this is not doable, but I realized I don't understand the scenario. So on one hand you want to keep the feature to sign in using ORCID as an alternative to sign-in using your home org IdP. Right? This means that you need those two sign-in methods supported and also both should be linked to the same entity in Unity. At the same time if ORCID id is only stored as a plain attribute, users won't be able to login with ORCID. What do I miss? Isn't it just a deprovisioning concern, that after user leaves home-org, some aspects of the Unity account should be removed so authZ is lost to relevant items? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-07-06 10:19:16
|
Hi Krzysztof, we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity interacts as proxy. User can sign in with all of them, but using home IdP can give already access to resources. We can not use the account linking because the user must lose access to the resources, when they leave the home organisation. We have some services which already want to have the ORCID ID of the user. Of course we can create an attribute and user needs to enter it manually during sign up or later in userhome endpoint. But manual steps offer the option for mistakes. So our question would be if there is a way to get the ID from ORCID directly, like the sign up using ORCID, but without account linking. Best regards, Sander On Thu, 2023-07-06 at 12:00 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 6.07.2023 o 10:42, Sander Apweiler pisze: > > Hi Krzysztof, hi Roman, > > we see a growing number of requests to the ORCID ID of researchers > > and > > services who want this information from the IdM system. The primary > > identity of the users is bound to the home organisation. Since > > there > > are resources bound to this identities, we do not want to perform > > account linking, unless we can remove all privileges, based on the > > organisation login, of the users, if the user left the > > organisation. > > ORCID login is an alternativ for researchers where the home > > organisation does not release all mandatory attributes. > > > > Is it possible to get the ID directly from ORCID and storing this > > as > > attribute, without account/identity linking? > > I'm not sure if I understand the scenario. Can you describe the flow > precisely? I wonder how and when Unity instance shall authorize to > ORCID > to get this identity info? > > I understand that you have a user that has some home IdP + ORCID id. > This user can login via Unity acting as a proxy to home IdP. And now > how > ORCID fits here? > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-07-06 10:06:29
|
Hi Krzysztof, I already assumed, that it is not possible. Thanks for the information. Best regards, Sander On Thu, 2023-07-06 at 11:57 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 5.07.2023 o 13:15, Sander Apweiler pisze: > > Hi Krzysztof, hi Roman, > > we have a group in our instance who asked if it is possible to > > enforce > > MFA for all their members. I know unity can enforce MFA on a > > specific > > endpoint/realm, but I don't know a possibility to enforce it to > > users > > from a specific group. Can you confirm this or explain how it would > > work? > > Unfortunately it is not supported. Of course you can enable "MFA > user > opt in" for all group users, but that can't be automated (and so will > require additional action when a new user is added). > > An improved solution would be to make management of the MFA opt in > also > possible using a regular attribute. Then one would be able to setup > attribute statement on the root group to set this MFA opt in to true > for > all members of a given group (or basing on any other condition). But > this will require additional MFA policies too, and we need a chain of > decisions what happens in case of conflicts (e.g. user of that group > has > no 2F credential or unset her MFA opt-in). Most likely a more > sophisticated policies in authN flows would be needed as well. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-07-06 10:00:54
|
Hi Sander, W dniu 6.07.2023 o 10:42, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > we see a growing number of requests to the ORCID ID of researchers and > services who want this information from the IdM system. The primary > identity of the users is bound to the home organisation. Since there > are resources bound to this identities, we do not want to perform > account linking, unless we can remove all privileges, based on the > organisation login, of the users, if the user left the organisation. > ORCID login is an alternativ for researchers where the home > organisation does not release all mandatory attributes. > > Is it possible to get the ID directly from ORCID and storing this as > attribute, without account/identity linking? I'm not sure if I understand the scenario. Can you describe the flow precisely? I wonder how and when Unity instance shall authorize to ORCID to get this identity info? I understand that you have a user that has some home IdP + ORCID id. This user can login via Unity acting as a proxy to home IdP. And now how ORCID fits here? Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2023-07-06 09:58:13
|
Hi Sander, W dniu 5.07.2023 o 13:15, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > we have a group in our instance who asked if it is possible to enforce > MFA for all their members. I know unity can enforce MFA on a specific > endpoint/realm, but I don't know a possibility to enforce it to users > from a specific group. Can you confirm this or explain how it would > work? Unfortunately it is not supported. Of course you can enable "MFA user opt in" for all group users, but that can't be automated (and so will require additional action when a new user is added). An improved solution would be to make management of the MFA opt in also possible using a regular attribute. Then one would be able to setup attribute statement on the root group to set this MFA opt in to true for all members of a given group (or basing on any other condition). But this will require additional MFA policies too, and we need a chain of decisions what happens in case of conflicts (e.g. user of that group has no 2F credential or unset her MFA opt-in). Most likely a more sophisticated policies in authN flows would be needed as well. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-07-06 08:42:13
|
Hi Krzysztof, hi Roman, we see a growing number of requests to the ORCID ID of researchers and services who want this information from the IdM system. The primary identity of the users is bound to the home organisation. Since there are resources bound to this identities, we do not want to perform account linking, unless we can remove all privileges, based on the organisation login, of the users, if the user left the organisation. ORCID login is an alternativ for researchers where the home organisation does not release all mandatory attributes. Is it possible to get the ID directly from ORCID and storing this as attribute, without account/identity linking? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-07-05 11:16:14
|
Hi Krzysztof, hi Roman, we have a group in our instance who asked if it is possible to enforce MFA for all their members. I know unity can enforce MFA on a specific endpoint/realm, but I don't know a possibility to enforce it to users from a specific group. Can you confirm this or explain how it would work? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-06-19 09:46:56
|
Dear Roman, not yet since we are quite busy with preparing a summerschool. Maybe later next week. Best regards, Sander On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote: > Dear Sander, > > Are there any news with regards to additional information? > > Thank you, > Roman > > > pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...> > napisał(a): > > Dear Krzysztof, > > we will bring the information as soon as possible. > > > > Best regards, > > Sander > > > > On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote: > > > Dear Laura, Sander, > > > > > > W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > > > > Dear Krzysztof, Dear Roman, > > > > > > > > we were just about to install unity 3.13.0 and then start > > > > testing. > > > > To > > > > do this, we first switched from unity 3.11.2 to unity 3.12.0, > > > > then > > > > to > > > > 3.13.0. After that, we received an application error message > > > > when > > > > logging in (see attached screenshot). Unfortunately we could > > > > not > > > > find > > > > any error message in the stack trace, so we switched back to > > > > 3.12.0. > > > > There we got the same error message at login, but then we could > > > > also > > > > find an error message in the stack trace. This is also attached > > > > as > > > > a > > > > txt file. > > > > > > So we have found the problem in 3.12 causing your error. We can > > > fix > > > it, > > > no problem, however I don't think it makes a lot of sense: it is > > > a > > > minor > > > bug, which will only occur on a database which was run on 3.13, > > > and > > > then > > > used in 3.12. This problem on 3.12 is also for sure 100% not > > > related > > > to > > > the (serious) sign-in problem you observed on 3.13. > > > > > > That said, to investigate the real issue we need to get back to > > > 3.13, > > > and diagnose the problem in there. In case of error like in your > > > screenshot, you should rather get a stacktrace or at least ERROR > > > message > > > in log. It is possible we have some omission in logging, but > > > unlikely. > > > > > > Can you please first enable debug logging, then repeat your > > > failing > > > sign-in on 3.13 and inspect log files one more time (or share it > > > with > > > us)? We need to find some clues on what is failing. Without > > > access to > > > your database it will be the only way forward. > > > > > > Best, > > > Krzysztof > > > > > > > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2023-06-19 09:41:07
|
Dear Sander, Are there any news with regards to additional information? Thank you, Roman pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...> napisał(a): > Dear Krzysztof, > we will bring the information as soon as possible. > > Best regards, > Sander > > On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote: > > Dear Laura, Sander, > > > > W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > > > Dear Krzysztof, Dear Roman, > > > > > > we were just about to install unity 3.13.0 and then start testing. > > > To > > > do this, we first switched from unity 3.11.2 to unity 3.12.0, then > > > to > > > 3.13.0. After that, we received an application error message when > > > logging in (see attached screenshot). Unfortunately we could not > > > find > > > any error message in the stack trace, so we switched back to > > > 3.12.0. > > > There we got the same error message at login, but then we could > > > also > > > find an error message in the stack trace. This is also attached as > > > a > > > txt file. > > > > So we have found the problem in 3.12 causing your error. We can fix > > it, > > no problem, however I don't think it makes a lot of sense: it is a > > minor > > bug, which will only occur on a database which was run on 3.13, and > > then > > used in 3.12. This problem on 3.12 is also for sure 100% not related > > to > > the (serious) sign-in problem you observed on 3.13. > > > > That said, to investigate the real issue we need to get back to 3.13, > > and diagnose the problem in there. In case of error like in your > > screenshot, you should rather get a stacktrace or at least ERROR > > message > > in log. It is possible we have some omission in logging, but > > unlikely. > > > > Can you please first enable debug logging, then repeat your failing > > sign-in on 3.13 and inspect log files one more time (or share it with > > us)? We need to find some clues on what is failing. Without access to > > your database it will be the only way forward. > > > > Best, > > Krzysztof > > > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, > Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2023-06-19 08:51:16
|
Hi Krzysztof, the login using ORCID is working again without any changes. Maybe it was just a problem on ORCID side. Best regards, Sander On Thu, 2023-06-15 at 13:34 +0200, Sander Apweiler wrote: > Hi Krzysztof, hi Roman, > we encountered a problem using ORCID for authentication. > The login is failing an the logs (see below) give an error about > missing access_token and it seems that ORCID is return an > unauthorized > message. I checked my settings at ORCID an I do not see issues with > the > registered client or in my account. Do you know if they changed > something at the API? We are still running unity 3.11.2. > > > > 2023-06-15T13:20:30,649 [qtp1372725646-3068] INFO > unity.server.oauth.RedirectRequestHandler: Starting OAuth redirection > to OAuth provider > https://orcid.org/oauth/authorize?response_type=code&redirect > _uri=https%3A%2F%2Flogin.helmholtz.de%2Funitygw%2Foauth2ResponseConsu > mer&state=7d7a2760-5389-433a-a6f1-0bfdd356589b&client_id=APP- > FW26H90Q59NZDYOY&scope=%2Fauthenticate&show_login=true > 2023-06-15T13:20:50,368 [qtp1372725646-3019] WARN > unity.server.oauth.OAuth2Verificator: Error received. Contents: > {"error":"unauthorized","error_description":"An Authentication object > was not found i > n the SecurityContext"} > > 2023-06-15T13:20:50,368 [qtp1372725646-3019] INFO > unity.server.oauth.OAuth2Verificator: OAuth2 authorization code > verification or processing failed > pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: > Problem during user information retrieval > at > pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthentica > tedInput(OAuth2Verificator.java:334) ~[unity-server-oauth- > 3.11.2.jar:?] > at > pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthAuthzRespo > nse(OAuth2Verificator.java:262) ~[unity-server-oauth-3.11.2.jar:?] > at > pl.edu.icm.unity.oauth.client.OAuth2Verificator.processResponse(OAuth > 2Verificator.java:243) ~[unity-server-oauth-3.11.2.jar:?] > at > pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.process > Answer(RedirectedAuthnState.java:99) ~[unity-server-engine-api- > 3.11.2.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.jav > a:62) ~[unity-server-engine-3.11.2.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity- > server-engine-3.11.2.jar:?] > at > pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProc > essingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.j > ava:78) ~[unity-server-web-common-3.11.2.jar:?] > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202 > ) ~[jetty-servlet-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandle > r.java:1635) ~[jetty-servlet-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java > :527) ~[jetty-servlet-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:221) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl > er.java:1571) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:221) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl > er.java:1383) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:176) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java: > 484) ~[jetty-servlet-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle > r.java:1544) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:174) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle > r.java:1305) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j > ava:129) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:122) ~[jetty-server-10.0.12.jar:10.0.12] > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIP > SettingHandler.java:68) ~[unity-server-engine-3.11.2.jar:?] > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont > extHandlerCollection.java:192) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:122) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle > r.java:301) ~[jetty-rewrite-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:122) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler. > java:822) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:122) ~[jetty-server-10.0.12.jar:10.0.12] > at org.eclipse.jetty.server.Server.handle(Server.java:563) > ~[jetty-server-10.0.12.jar:10.0.12] > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java: > 195) ~[unity-server-engine-3.11.2.jar:?] > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java > :505) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) > ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) > ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.jav > a:282) ~[jetty-server-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(Abstra > ctConnection.java:314) ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) > ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(S > slConnection.java:558) ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java: > 379) ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java > :146) ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) > ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChanne > lEndPoint.java:53) ~[jetty-io-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runT > ask(AdaptiveExecutionStrategy.java:421) ~[jetty-util- > 10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.cons > umeTask(AdaptiveExecutionStrategy.java:390) ~[jetty-util- > 10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryP > roduce(AdaptiveExecutionStrategy.java:277) ~[jetty-util- > 10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lamb > da$new$0(AdaptiveExecutionStrategy.java:139) ~[jetty-util- > 10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.r > un(ReservedThreadExecutor.java:411) ~[jetty-util-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo > l.java:933) ~[jetty-util-10.0.12.jar:10.0.12] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThrea > dPool.java:1077) ~[jetty-util-10.0.12.jar:10.0.12] > at java.lang.Thread.run(Thread.java:829) ~[?:?] > Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON > object member with key access_token > at > com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUti > ls.java:152) ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getString(JSONObjectUtil > s.java:428) ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.token.AccessTokenUtils.parseValue(AccessToken > Utils.java:68) ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.token.BearerAccessToken.parse(BearerAccessTok > en.java:210) ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.token.AccessToken.parse(AccessToken.java:358) > ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.token.Tokens.parse(Tokens.java:235) ~[oauth2- > oidc-sdk-9.41.jar:9.41] > at > com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse > .java:198) ~[oauth2-oidc-sdk-9.41.jar:9.41] > at > pl.edu.icm.unity.oauth.client.OAuth2Verificator.getAccessTokenAndProf > ilePlain(OAuth2Verificator.java:485) ~[unity-server-oauth- > 3.11.2.jar:?] > at > pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthentica > tedInput(OAuth2Verificator.java:331) ~[unity-server-oauth- > 3.11.2.jar:?] > ... 48 more > 2023-06-15T13:20:50,369 [qtp1372725646-3019] INFO > unity.server.authn.InteractiveAuthneticationProcessorImpl: > Authentication failure: AuthenticationProcessorImpl.authnFailed deny > > > Best regards, > Sander > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-06-15 11:34:56
|
Hi Krzysztof, hi Roman, we encountered a problem using ORCID for authentication. The login is failing an the logs (see below) give an error about missing access_token and it seems that ORCID is return an unauthorized message. I checked my settings at ORCID an I do not see issues with the registered client or in my account. Do you know if they changed something at the API? We are still running unity 3.11.2. 2023-06-15T13:20:30,649 [qtp1372725646-3068] INFO unity.server.oauth.RedirectRequestHandler: Starting OAuth redirection to OAuth provider https://orcid.org/oauth/authorize?response_type=code&redirect _uri=https%3A%2F%2Flogin.helmholtz.de%2Funitygw%2Foauth2ResponseConsumer&state=7d7a2760-5389-433a-a6f1-0bfdd356589b&client_id=APP-FW26H90Q59NZDYOY&scope=%2Fauthenticate&show_login=true 2023-06-15T13:20:50,368 [qtp1372725646-3019] WARN unity.server.oauth.OAuth2Verificator: Error received. Contents: {"error":"unauthorized","error_description":"An Authentication object was not found i n the SecurityContext"} 2023-06-15T13:20:50,368 [qtp1372725646-3019] INFO unity.server.oauth.OAuth2Verificator: OAuth2 authorization code verification or processing failed pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: Problem during user information retrieval at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthenticatedInput(OAuth2Verificator.java:334) ~[unity-server-oauth-3.11.2.jar:?] at pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthAuthzResponse(OAuth2Verificator.java:262) ~[unity-server-oauth-3.11.2.jar:?] at pl.edu.icm.unity.oauth.client.OAuth2Verificator.processResponse(OAuth2Verificator.java:243) ~[unity-server-oauth-3.11.2.jar:?] at pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.processAnswer(RedirectedAuthnState.java:99) ~[unity-server-engine-api-3.11.2.jar:?] at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.java:62) ~[unity-server-engine-3.11.2.jar:?] at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity-server-engine-3.11.2.jar:?] at pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:78) ~[unity-server-web-common-3.11.2.jar:?] at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[jetty-servlet-10.0.12.jar:10.0.12] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[jetty-servlet-10.0.12.jar:10.0.12] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) ~[jetty-servlet-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) ~[jetty-servlet-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:68) ~[unity-server-engine-3.11.2.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:301) ~[jetty-rewrite-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.Server.handle(Server.java:563) ~[jetty-server-10.0.12.jar:10.0.12] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:195) ~[unity-server-engine-3.11.2.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) ~[jetty-server-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) ~[jetty-io-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:139) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:933) ~[jetty-util-10.0.12.jar:10.0.12] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1077) ~[jetty-util-10.0.12.jar:10.0.12] at java.lang.Thread.run(Thread.java:829) ~[?:?] Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key access_token at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:152) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getString(JSONObjectUtils.java:428) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.token.AccessTokenUtils.parseValue(AccessTokenUtils.java:68) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.token.BearerAccessToken.parse(BearerAccessToken.java:210) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.token.AccessToken.parse(AccessToken.java:358) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.token.Tokens.parse(Tokens.java:235) ~[oauth2-oidc-sdk-9.41.jar:9.41] at com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse.java:198) ~[oauth2-oidc-sdk-9.41.jar:9.41] at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getAccessTokenAndProfilePlain(OAuth2Verificator.java:485) ~[unity-server-oauth-3.11.2.jar:?] at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthenticatedInput(OAuth2Verificator.java:331) ~[unity-server-oauth-3.11.2.jar:?] ... 48 more 2023-06-15T13:20:50,369 [qtp1372725646-3019] INFO unity.server.authn.InteractiveAuthneticationProcessorImpl: Authentication failure: AuthenticationProcessorImpl.authnFailed deny Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-06-12 08:35:27
|
Dear Krzysztof, we will bring the information as soon as possible. Best regards, Sander On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote: > Dear Laura, Sander, > > W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > > Dear Krzysztof, Dear Roman, > > > > we were just about to install unity 3.13.0 and then start testing. > > To > > do this, we first switched from unity 3.11.2 to unity 3.12.0, then > > to > > 3.13.0. After that, we received an application error message when > > logging in (see attached screenshot). Unfortunately we could not > > find > > any error message in the stack trace, so we switched back to > > 3.12.0. > > There we got the same error message at login, but then we could > > also > > find an error message in the stack trace. This is also attached as > > a > > txt file. > > So we have found the problem in 3.12 causing your error. We can fix > it, > no problem, however I don't think it makes a lot of sense: it is a > minor > bug, which will only occur on a database which was run on 3.13, and > then > used in 3.12. This problem on 3.12 is also for sure 100% not related > to > the (serious) sign-in problem you observed on 3.13. > > That said, to investigate the real issue we need to get back to 3.13, > and diagnose the problem in there. In case of error like in your > screenshot, you should rather get a stacktrace or at least ERROR > message > in log. It is possible we have some omission in logging, but > unlikely. > > Can you please first enable debug logging, then repeat your failing > sign-in on 3.13 and inspect log files one more time (or share it with > us)? We need to find some clues on what is failing. Without access to > your database it will be the only way forward. > > Best, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-06-08 08:16:54
|
Dear Laura, Sander, W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > Dear Krzysztof, Dear Roman, > > we were just about to install unity 3.13.0 and then start testing. To > do this, we first switched from unity 3.11.2 to unity 3.12.0, then to > 3.13.0. After that, we received an application error message when > logging in (see attached screenshot). Unfortunately we could not find > any error message in the stack trace, so we switched back to 3.12.0. > There we got the same error message at login, but then we could also > find an error message in the stack trace. This is also attached as a > txt file. So we have found the problem in 3.12 causing your error. We can fix it, no problem, however I don't think it makes a lot of sense: it is a minor bug, which will only occur on a database which was run on 3.13, and then used in 3.12. This problem on 3.12 is also for sure 100% not related to the (serious) sign-in problem you observed on 3.13. That said, to investigate the real issue we need to get back to 3.13, and diagnose the problem in there. In case of error like in your screenshot, you should rather get a stacktrace or at least ERROR message in log. It is possible we have some omission in logging, but unlikely. Can you please first enable debug logging, then repeat your failing sign-in on 3.13 and inspect log files one more time (or share it with us)? We need to find some clues on what is failing. Without access to your database it will be the only way forward. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2023-06-07 11:17:14
|
Hi Sander, W dniu 7.06.2023 o 11:57, Sander Apweiler pisze: > Dear Krzysztof, > > On Tue, 2023-06-06 at 14:54 +0200, Krzysztof Benedyczak wrote: >> Dear Laura, >> >> W dniu 6.06.2023 o 13:19, Laura Hofer pisze: >>> Dear Krzysztof, Dear Roman, >>> >>> we were just about to install unity 3.13.0 and then start testing. >>> To >>> do this, we first switched from unity 3.11.2 to unity 3.12.0, then >>> to >>> 3.13.0. After that, we received an application error message when >>> logging in (see attached screenshot). Unfortunately we could not >>> find >>> any error message in the stack trace, so we switched back to >>> 3.12.0. >>> There we got the same error message at login, but then we could >>> also >>> find an error message in the stack trace. This is also attached as >>> a >>> txt file. >> >> Thank you for the report. Most likely a regression caused by one of >> recent big refactorings. >> >> Some questions: >> >> 1. The DB on which you run 3.12 (and got the attached stacktrace) was >> used (and possible modified) with 3.13 or not? > Yes the database was used also on 3.13. It looks like there was no > modification on 3.13 start up, but I'm not sure >> 2. If the answer to above is positive: can you restart your test >> scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12 >> whether the issue is also present on that version? > Sadly we did not made a database backup before. By starting 3.11.2 > unity throws an error about the supported database version: > OK, we will try to find it on our side then, will take more time in such situation though. Will keep you posted. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-06-07 09:57:18
|
Dear Krzysztof, On Tue, 2023-06-06 at 14:54 +0200, Krzysztof Benedyczak wrote: > Dear Laura, > > W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > > Dear Krzysztof, Dear Roman, > > > > we were just about to install unity 3.13.0 and then start testing. > > To > > do this, we first switched from unity 3.11.2 to unity 3.12.0, then > > to > > 3.13.0. After that, we received an application error message when > > logging in (see attached screenshot). Unfortunately we could not > > find > > any error message in the stack trace, so we switched back to > > 3.12.0. > > There we got the same error message at login, but then we could > > also > > find an error message in the stack trace. This is also attached as > > a > > txt file. > > > Thank you for the report. Most likely a regression caused by one of > recent big refactorings. > > Some questions: > > 1. The DB on which you run 3.12 (and got the attached stacktrace) was > used (and possible modified) with 3.13 or not? Yes the database was used also on 3.13. It looks like there was no modification on 3.13 start up, but I'm not sure > > 2. If the answer to above is positive: can you restart your test > scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12 > whether the issue is also present on that version? Sadly we did not made a database backup before. By starting 3.11.2 unity throws an error about the supported database version: The database schema version 18 is newer then supported by this version of the server. Please upgrade the server software. Best regards, Sander > > Answers to those questions should help us a lot. > > Thank you, > > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-06-06 12:54:35
|
Dear Laura, W dniu 6.06.2023 o 13:19, Laura Hofer pisze: > Dear Krzysztof, Dear Roman, > > we were just about to install unity 3.13.0 and then start testing. To > do this, we first switched from unity 3.11.2 to unity 3.12.0, then to > 3.13.0. After that, we received an application error message when > logging in (see attached screenshot). Unfortunately we could not find > any error message in the stack trace, so we switched back to 3.12.0. > There we got the same error message at login, but then we could also > find an error message in the stack trace. This is also attached as a > txt file. Thank you for the report. Most likely a regression caused by one of recent big refactorings. Some questions: 1. The DB on which you run 3.12 (and got the attached stacktrace) was used (and possible modified) with 3.13 or not? 2. If the answer to above is positive: can you restart your test scenario (i.e. start from 3.11, upgrade to 3.12) and test on 3.12 whether the issue is also present on that version? Answers to those questions should help us a lot. Thank you, Krzysztof |
|
From: Laura H. <l....@fz...> - 2023-06-06 11:20:04
|
Dear Krzysztof, Dear Roman, we were just about to install unity 3.13.0 and then start testing. To do this, we first switched from unity 3.11.2 to unity 3.12.0, then to 3.13.0. After that, we received an application error message when logging in (see attached screenshot). Unfortunately we could not find any error message in the stack trace, so we switched back to 3.12.0. There we got the same error message at login, but then we could also find an error message in the stack trace. This is also attached as a txt file. Best regards, Laura Hofer -- Juelich Supercomputing Centre Institute for Advanced Simulation Forschungszentrum Juelich GmbH 52425 Juelich, Germany E-Mail: l....@fz... Phone: +49 2461 61-6576 Fax: +49 2461 61-6656 ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-05-31 16:33:34
|
Hi, W dniu 31.05.2023 o 11:30, Sander Apweiler pisze: > Hi Krzysztof, > we are just using two realms. The adminRealm for console endpoint and > the defaultRealm for all other endpoints. But we could create a third > one dedicated to the home endpoint for the oauth clients. Hm. So what are the two flows in which you expect to have different authN? Let's say you create one realm for the Home endpoint. This realm will require MFA. Then all users accessing this endpoint will need to authenticate with MFA. That is easy. But I still don't understand your setup. I don't know what do you mean by "normal authentication of the client in AuthZ code flow". Please be more verbose. What are the authn options? Wat are the endpoints in question (just /home or /home and OAuth IdP?)? Krzysztof > Best regards, > Sander > > On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 30.05.2023 o 13:06, Sander Apweiler pisze: >>> Hi Krzysztof, hi Roman >>> we are planning to enforce 2FA on /home endpoint. Can you confirm >>> that >>> Oauth admins would need to enter second factor if they log in at >>> this >>> endpoint with the client credentials but the normal authentication >>> of >>> the client in Authorization code flow is not effected. >> It depends on details of your setup. Can you provide your envisioned >> realms setup and what is the assignment of home and oauth endpoints >> to >> realms? >> >> Best, >> Krzysztof >> >> >> >> >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: Sander A. <sa....@fz...> - 2023-05-31 09:30:43
|
Hi Krzysztof, we are just using two realms. The adminRealm for console endpoint and the defaultRealm for all other endpoints. But we could create a third one dedicated to the home endpoint for the oauth clients. Best regards, Sander On Wed, 2023-05-31 at 11:09 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 30.05.2023 o 13:06, Sander Apweiler pisze: > > Hi Krzysztof, hi Roman > > we are planning to enforce 2FA on /home endpoint. Can you confirm > > that > > Oauth admins would need to enter second factor if they log in at > > this > > endpoint with the client credentials but the normal authentication > > of > > the client in Authorization code flow is not effected. > > It depends on details of your setup. Can you provide your envisioned > realms setup and what is the assignment of home and oauth endpoints > to > realms? > > Best, > Krzysztof > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-05-31 09:10:13
|
Hi Sander, W dniu 30.05.2023 o 13:06, Sander Apweiler pisze: > Hi Krzysztof, hi Roman > we are planning to enforce 2FA on /home endpoint. Can you confirm that > Oauth admins would need to enter second factor if they log in at this > endpoint with the client credentials but the normal authentication of > the client in Authorization code flow is not effected. It depends on details of your setup. Can you provide your envisioned realms setup and what is the assignment of home and oauth endpoints to realms? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-05-30 11:06:39
|
Hi Krzysztof, hi Roman we are planning to enforce 2FA on /home endpoint. Can you confirm that Oauth admins would need to enter second factor if they log in at this endpoint with the client credentials but the normal authentication of the client in Authorization code flow is not effected. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
