Menu
▾
▴
unity-idm-discuss
|
From: <ba...@aw...> - 2021-08-13 14:18:42
|
Hi Roman, Many thanks for looking into it. >Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem. Does that mean my configuration posted in my first email looks fine? > please enable the logging for the rest subsystem to the trace level Unity logs: ========= 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 authorization endpoint 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request processing 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request to protected address, with OAuth2 input, will be processed: /oauth/oauth2-authz 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Parsed OAuth request: response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request with OAuth input handled successfully 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth request, forwarding to consent UI 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile Embedded]] Unprocessed data from local database: Entity 49: - [userName] bakcsa - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm Attributes: - sys:LastAuthentication: [2021-08-13T12:10:25] - firstname: [Zoltan] - surname: [Bakcsa] - name: [Zoltan Bakcsa] - sys:AuthorizationRole: [System Manager] - sys:CredentialRequirements: [Password requirement] - email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] - sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] In group: / Groups: [/moderators, /] Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30 Requester attributes: - sys:oauth:clientType: [CONFIDENTIAL] - sys:oauth:allowedReturnURI: [https://www.my-domain.io/jupyter/hub/oauth_callback] - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, openidHybrid] - sys:oauth:clientName: [Jupyter hub login] Protocol: OAuth2:authorizationCode 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationRule:[[TrProfile Embedded], [r: 1]] Condition OK 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG unity.server.externaltranslation.CreateAttributeAction:[[TrProfile Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] Created a new attribute: userName: [bakcsa] with meta [userName, userName, false] 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationEngine: Output translation result: TranslationResult: attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], sys:CredentialRequirements: [Password requirement] with meta [sys:CredentialRequirements, Defines which credential requirements are set for the owner, false], email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] with meta [E-mail address, E-mail address, false], sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] with meta [sys:Preferences, Preferences of the user, false], surname: [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] with meta [sys:LastAuthentication, Stores date and time of the last successful authentication. The format is ISO time in UTC time zone with seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] with meta [Authorization role, Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles: <b>System Manager</b> - System manager with all privileges. <b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes. <b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible <b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications are possible <b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing self managed attributes, identities and passwords <b>Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves , false]] identities=[[userName] bakcsa, [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm] attributesToPersist=[] identitiesToPersist=[] redirectURL=null 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow pwd, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2021-08-13T12:37:25,379 [qtp620381176-29] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client 2021-08-13T12:37:25,380 [qtp620381176-29] WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] ... 56 more 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG unity.server.rest.EngineExceptionMapper: Access denied for rest client pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Jupyter-hub logs: ============== swarm-1 | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms swarm-1 | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f (@::ffff:10.0.0.2) 1.32ms swarm-1 | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback' swarm-1 | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting cookie oauthenticator-state: {'httponly': True, 'expires_days': 1} swarm-1 | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> &redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid (@::ffff:10.0.0.2) 1.87ms swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error fetching access token 403 POST https://idp.my-domain.io:2443/oauth-token/token: { swarm-1 | "error": "AuthenticationException", swarm-1 | "message": "Invalid user name, credential or external authentication failed. " swarm-1 | } swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught exception GET /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D (::ffff:10.0.0.2) swarm-1 | HTTPServerRequest(protocol='http', host='my-domain.io', method='GET', uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', version='HTTP/1.1', remote_ip='::ffff:10.0.0.2') swarm-1 | Traceback (most recent call last): swarm-1 | File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute swarm-1 | result = await result swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 231, in get swarm-1 | user = await self.login_user() swarm-1 | File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user swarm-1 | authenticated = await self.authenticate(data) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user swarm-1 | authenticated = await maybe_future(self.authenticate(handler, data)) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 169, in authenticate swarm-1 | token_resp_json = await self._get_token(headers, params) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 390, in fetch swarm-1 | raise e swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 369, in fetch swarm-1 | resp = await self.http_client.fetch(req, **kwargs) swarm-1 | tornado.httpclient.HTTPClientError: HTTP 403: Forbidden swarm-1 | swarm-1 | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template for 500 swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:181] { swarm-1 | "X-Forwarded-Proto": "http", swarm-1 | "X-Forwarded-Port": "80", swarm-1 | "Connection": "close", swarm-1 | "X-Forwarded-Server": "my-domain.io", swarm-1 | "X-Forwarded-Host": "my-domain.io", swarm-1 | "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2", swarm-1 | "Cookie": "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; jupyterhub-session-id=[secret]; _xsrf=[secret]; oauthenticator-state=[secret]", swarm-1 | "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7", swarm-1 | "Accept-Encoding": "gzip, deflate, br", swarm-1 | "Referer": https://idp.my-domain.io:2443/, swarm-1 | "Sec-Ch-Ua-Mobile": "?0", swarm-1 | "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"", swarm-1 | "Sec-Fetch-Dest": "document", swarm-1 | "Sec-Fetch-User": "?1", swarm-1 | "Sec-Fetch-Mode": "navigate", swarm-1 | "Sec-Fetch-Site": "same-site", swarm-1 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", swarm-1 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73", swarm-1 | "Upgrade-Insecure-Requests": "1", swarm-1 | "Cache-Control": "max-age=0", swarm-1 | "Host": "my-domain.io" swarm-1 | } swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) 72.98ms From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > Sent: Friday, August 13, 2021 11:54 AM To: ba...@aw... <mailto:ba...@aw...> Cc: Unity ML <uni...@li... <mailto:uni...@li...> > Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed HI Zoltan, Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem. In order to proceed further with investigation, please enable the logging for the rest subsystem to the trace level, do a re-test of your scenario and provide the log records from the unity. To enable trace logging for rest, make sure to have the following in log4j2.xml file <Logger name="unity.server.rest" level="TRACE"/> Also if you could enable the trace logging for Jupyter and provide output that would be helpful. One thing which is puzzling me is why the oauth client queries the revocation endpoint after login? Thank you, Roman From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > Sent: Thursday, August 12, 2021 12:02 PM To: ba...@aw... <mailto:ba...@aw...> Cc: Unity ML <uni...@li... <mailto:uni...@li...> > Subject: Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed HI Zoltan, This is to let you know that we are working on this, and we will let you know after investigation. Thanks for reaching out to the community. Roman śr., 11 sie 2021 o 17:34 <ba...@aw... <mailto:ba...@aw...> > napisał(a): Dear Unity community, I’m trying to integrate Jupyter hub with Unity-idm. My goal is to authenticate users using OpenID Connect. Unity version: 3.2.3 Relevant configuration: Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg Jupyter-hub-client: https://snipboard.io/6olp81.jpg Relevant part of jupyterhub_config.py: c.GenericOAuthenticator.client_id="removed " c.GenericOAuthenticator.client_secret="removed" c.GenericOAuthenticator.oauth_callback_url=https://www.mydomain.io/jupyter/hub/oauth_callback c.GenericOAuthenticator.authorize_url=https://idp.mydomain.io:2443/oauth/oauth2-authz c.GenericOAuthenticator.token_url=https://idp.mydomain.io:2443/oauth-token/token c.GenericOAuthenticator.userdata_url=https://idp.mydomain.io:2443/oauth-token/userinfo c.GenericOAuthenticator.username_key="userName" #c.GenericOAuthenticator.userdata_params.state="state" c.GenericOAuthenticator.userdata_params = {'state': 'state'} c.GenericOAuthenticator.scope = ['profile','openid'] I’ve double checked the client_id and secret many times, I’m pretty sure they are correct. What happens: 1. Go to https://mydomain.io/jupyter/ 2. Click on “Sign in with OAuth 2.0” button 3. Redirect to unity at https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry 4. Login with my username/password 5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg 6. After clicking on the Confirm button I get redirected to Jupyter hub where I get a “500: Internal Server Error”. Checking unity logs I see the following warning: WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource> has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. (Full stack trace at the end of the email.) This message does not tell much to me, all credentials are correct that I configured. Could someone help me out? Did I misconfigure something? Cheers, Zoltan Bakcsa 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource> has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] ... 56 more _______________________________________________ Unity-idm-discuss mailing list Uni...@li... <mailto:Uni...@li...> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: <ba...@aw...> - 2021-08-13 19:57:56
|
Hi Roman, > Can you confirm if this is true, meaning JupyterHub queries the token endpoint with base authentication with client id and client secret credentials? I cannot confirm this. Unity operates over SSL, I cannot look into the actual data stream between Unity and Jupyter hub so I don’t know what’s going on under the hood. I suppose there is no option in Unity for logging HTTP requests (together with the content). All I can confirm is that the “c.GenericOAuthenticator.client_id” and “c.GenericOAuthenticator.client_secret” properties are set in jupyterhub_config.py and their value is correct. Since at this point, I could not decide whether the Jupyterhub – GenericOAuthenticator plugin or Unity does not work as it should, I set up a Keycloak instance and checked if Jupyterhub can authenticate against it with the same plugin. It worked. Next week I’ll try to put a HTTP proxy between Unity and Jupyterhub so that I can sniff the communication between them. In the meantime, ideas about what could be possible misconfigured and/or working configuration examples (both Unity and Jupyter side) are welcomed. Br, Zoltan From: Roman Krysiński <ro...@un...> Sent: Friday, August 13, 2021 6:03 PM To: ba...@aw... Cc: Unity ML <uni...@li...> Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed HI Zoltan, Thank you very much, that was helpful. > Does that mean my configuration posted in my first email looks fine? I haven't spottent problem in the Unity configuration at first glance. Looking at the JupyterHub however I noticed this: > 403 POST https://idp.my-domain.io:2443/oauth-token/token: Token endpoint is protected and all requests require proper authorization. Can you confirm if this is true, meaning JupyterHub queries the token endpoint with base authentication with client id and client secret credentials? Thank you, Roman pt., 13 sie 2021 o 16:18 <ba...@aw... <mailto:ba...@aw...> > napisał(a): Hi Roman, Many thanks for looking into it. >Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem. Does that mean my configuration posted in my first email looks fine? > please enable the logging for the rest subsystem to the trace level Unity logs: ========= 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 authorization endpoint 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request processing 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request to protected address, with OAuth2 input, will be processed: /oauth/oauth2-authz 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Parsed OAuth request: response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io <http://2Fwww.my-domain.io> %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE unity.server.oauth.OAuthParseServlet: Request with OAuth input handled successfully 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth request, forwarding to consent UI 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile Embedded]] Unprocessed data from local database: Entity 49: - [userName] bakcsa - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm Attributes: - sys:LastAuthentication: [2021-08-13T12:10:25] - firstname: [Zoltan] - surname: [Bakcsa] - name: [Zoltan Bakcsa] - sys:AuthorizationRole: [System Manager] - sys:CredentialRequirements: [Password requirement] - email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] - sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] In group: / Groups: [/moderators, /] Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30 Requester attributes: - sys:oauth:clientType: [CONFIDENTIAL] - sys:oauth:allowedReturnURI: [https://www.my-domain.io/jupyter/hub/oauth_callback] - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, openidHybrid] - sys:oauth:clientName: [Jupyter hub login] Protocol: OAuth2:authorizationCode 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationRule:[[TrProfile Embedded], [r: 1]] Condition OK 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG unity.server.externaltranslation.CreateAttributeAction:[[TrProfile Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] Created a new attribute: userName: [bakcsa] with meta [userName, userName, false] 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG unity.server.externaltranslation.OutputTranslationEngine: Output translation result: TranslationResult: attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], sys:CredentialRequirements: [Password requirement] with meta [sys:CredentialRequirements, Defines which credential requirements are set for the owner, false], email: [{"value":ba...@aw... <mailto:ba...@aw...> ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] with meta [E-mail address, E-mail address, false], sys:Preferences: [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] with meta [sys:Preferences, Preferences of the user, false], surname: [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] with meta [sys:LastAuthentication, Stores date and time of the last successful authentication. The format is ISO time in UTC time zone with seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] with meta [Authorization role, Defines what operations are allowed for the bearer. The attribute of this type defines the access in the group where it is defined and in all subgroups. In subgroup it can be redefined to grant more access. Roles: <b>System Manager</b> - System manager with all privileges. <b>Contents Manager</b> - Allows for performing all management operations related to groups, entities and attributes. Also allows for reading information about hidden attributes. <b>Privileged Inspector</b> - Allows for reading entities, groups and attributes, including the attributes visible locally only. No modifications are possible <b>Inspector</b> - Allows for reading entities, groups and attributes. No modifications are possible <b>Regular User</b> - Allows owners for reading of the basic system information, retrieval of information about themselves and also for changing self managed attributes, identities and passwords <b>Anonymous User</b> - Allows for minimal access to the system: owners can get basic system information and retrieve information about themselves , false]] identities=[[userName] bakcsa, [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] 473eea20-47b6-4180-b02f-81559c521e4d for 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm] attributesToPersist=[] identitiesToPersist=[] redirectURL=null 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal address /oauth/oauth2-authz-web-entry/UIDL/ 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing address, with OAuth context: /oauth/oauth2-authz-web-entry 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow pwd, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2021-08-13T12:37:25,379 [qtp620381176-29] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client 2021-08-13T12:37:25,380 [qtp620381176-29] WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource <http://token.as.oauth.unity.icm.edu.pl/%7DDiscoveryResource> has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] ... 56 more 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG unity.server.rest.EngineExceptionMapper: Access denied for rest client pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Jupyter-hub logs: ============== swarm-1 | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms swarm-1 | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f (@::ffff:10.0.0.2) 1.32ms swarm-1 | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback' swarm-1 | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting cookie oauthenticator-state: {'httponly': True, 'expires_days': 1} swarm-1 | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> &redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid (@::ffff:10.0.0.2) 1.87ms swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error fetching access token 403 POST https://idp.my-domain.io:2443/oauth-token/token: { swarm-1 | "error": "AuthenticationException", swarm-1 | "message": "Invalid user name, credential or external authentication failed. " swarm-1 | } swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught exception GET /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D (::ffff:10.0.0.2) swarm-1 | HTTPServerRequest(protocol='http', host='my-domain.io <http://my-domain.io> ', method='GET', uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', version='HTTP/1.1', remote_ip='::ffff:10.0.0.2') swarm-1 | Traceback (most recent call last): swarm-1 | File "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in _execute swarm-1 | result = await result swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 231, in get swarm-1 | user = await self.login_user() swarm-1 | File "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line 754, in login_user swarm-1 | authenticated = await self.authenticate(data) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in get_authenticated_user swarm-1 | authenticated = await maybe_future(self.authenticate(handler, data)) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line 169, in authenticate swarm-1 | token_resp_json = await self._get_token(headers, params) swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 390, in fetch swarm-1 | raise e swarm-1 | File "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line 369, in fetch swarm-1 | resp = await self.http_client.fetch(req, **kwargs) swarm-1 | tornado.httpclient.HTTPClientError: HTTP 403: Forbidden swarm-1 | swarm-1 | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template for 500 swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:181] { swarm-1 | "X-Forwarded-Proto": "http", swarm-1 | "X-Forwarded-Port": "80", swarm-1 | "Connection": "close", swarm-1 | "X-Forwarded-Server": "my-domain.io <http://my-domain.io> ", swarm-1 | "X-Forwarded-Host": "my-domain.io <http://my-domain.io> ", swarm-1 | "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2", swarm-1 | "Cookie": "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; jupyterhub-session-id=[secret]; _xsrf=[secret]; oauthenticator-state=[secret]", swarm-1 | "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7", swarm-1 | "Accept-Encoding": "gzip, deflate, br", swarm-1 | "Referer": https://idp.my-domain.io:2443/, swarm-1 | "Sec-Ch-Ua-Mobile": "?0", swarm-1 | "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"", swarm-1 | "Sec-Fetch-Dest": "document", swarm-1 | "Sec-Fetch-User": "?1", swarm-1 | "Sec-Fetch-Mode": "navigate", swarm-1 | "Sec-Fetch-Site": "same-site", swarm-1 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", swarm-1 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73", swarm-1 | "Upgrade-Insecure-Requests": "1", swarm-1 | "Cache-Control": "max-age=0", swarm-1 | "Host": "my-domain.io <http://my-domain.io> " swarm-1 | } swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) 72.98ms From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > Sent: Friday, August 13, 2021 11:54 AM To: ba...@aw... <mailto:ba...@aw...> Cc: Unity ML <uni...@li... <mailto:uni...@li...> > Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed HI Zoltan, Just check the scenario manually on my local environment for the version you are using, but I was not able to reproduce the problem. In order to proceed further with investigation, please enable the logging for the rest subsystem to the trace level, do a re-test of your scenario and provide the log records from the unity. To enable trace logging for rest, make sure to have the following in log4j2.xml file <Logger name="unity.server.rest" level="TRACE"/> Also if you could enable the trace logging for Jupyter and provide output that would be helpful. One thing which is puzzling me is why the oauth client queries the revocation endpoint after login? Thank you, Roman From: Roman Krysiński <ro...@un... <mailto:ro...@un...> > Sent: Thursday, August 12, 2021 12:02 PM To: ba...@aw... <mailto:ba...@aw...> Cc: Unity ML <uni...@li... <mailto:uni...@li...> > Subject: Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed HI Zoltan, This is to let you know that we are working on this, and we will let you know after investigation. Thanks for reaching out to the community. Roman śr., 11 sie 2021 o 17:34 <ba...@aw... <mailto:ba...@aw...> > napisał(a): Dear Unity community, I’m trying to integrate Jupyter hub with Unity-idm. My goal is to authenticate users using OpenID Connect. Unity version: 3.2.3 Relevant configuration: Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg Jupyter-hub-client: https://snipboard.io/6olp81.jpg Relevant part of jupyterhub_config.py: c.GenericOAuthenticator.client_id="removed " c.GenericOAuthenticator.client_secret="removed" c.GenericOAuthenticator.oauth_callback_url=https://www.mydomain.io/jupyter/hub/oauth_callback c.GenericOAuthenticator.authorize_url=https://idp.mydomain.io:2443/oauth/oauth2-authz c.GenericOAuthenticator.token_url=https://idp.mydomain.io:2443/oauth-token/token c.GenericOAuthenticator.userdata_url=https://idp.mydomain.io:2443/oauth-token/userinfo c.GenericOAuthenticator.username_key="userName" #c.GenericOAuthenticator.userdata_params.state="state" c.GenericOAuthenticator.userdata_params = {'state': 'state'} c.GenericOAuthenticator.scope = ['profile','openid'] I’ve double checked the client_id and secret many times, I’m pretty sure they are correct. What happens: 1. Go to https://mydomain.io/jupyter/ 2. Click on “Sign in with OAuth 2.0” button 3. Redirect to unity at https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry 4. Login with my username/password 5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg 6. After clicking on the Confirm button I get redirected to Jupyter hub where I get a “500: Internal Server Error”. Checking unity logs I see the following warning: WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource> has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. (Full stack trace at the end of the email.) This message does not tell much to me, all credentials are correct that I configured. Could someone help me out? Did I misconfigure something? Cheers, Zoltan Bakcsa 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://token.as.oauth.unity.icm.edu.pl/}RevocationResource <http://token.as.oauth.unity.icm.edu.pl/%7DRevocationResource> has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) ~[unity-server-rest-3.2.3.jar:?] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.3.1.jar:3.3.1] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar:3.1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.3.jar:?] at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] at java.lang.Thread.run(Thread.java:829) [?:?] Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) ~[unity-server-rest-3.2.3.jar:?] ... 56 more _______________________________________________ Unity-idm-discuss mailing list Uni...@li... <mailto:Uni...@li...> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss _______________________________________________ Unity-idm-discuss mailing list Uni...@li... <mailto:Uni...@li...> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: Roman K. <ro...@un...> - 2021-08-17 12:09:23
|
Hi Zoltan, > In the meantime, ideas about what could be possible misconfigured and/or working configuration examples (both Unity and Jupyter side) are welcomed. Note that I was not using Jupyter for my tests, I just configured unity according to your screenshots and used https://oauth.tools/ for testing, Please check whether clientId and secret configured in jupyterhub_config.py are the same with those generated by Unity, or regenerate client credentials in Unity and update Jupyter config file. As an aside, I noticed that Jupyter under the hood is using Tornado as a networking library, consider enabling the Tornado lib logging to see more details in the Jupyter log: https://www.tornadoweb.org/en/stable/log.html. Best regards, Roman pt., 13 sie 2021 o 21:57 <ba...@aw...> napisał(a): > Hi Roman, > > > > > Can you confirm if this is true, meaning JupyterHub queries the token > endpoint with base authentication with client id and client secret > credentials? > > I cannot confirm this. Unity operates over SSL, I cannot look into the > actual data stream between Unity and Jupyter hub so I don’t know what’s > going on under the hood. > > I suppose there is no option in Unity for logging HTTP requests (together > with the content). > > > > All I can confirm is that the “c.GenericOAuthenticator.client_id” and > “c.GenericOAuthenticator.client_secret” properties are set in > jupyterhub_config.py and their value is correct. > > Since at this point, I could not decide whether the Jupyterhub – > GenericOAuthenticator plugin or Unity does not work as it should, I set up > a Keycloak instance and checked if Jupyterhub can authenticate against it > with the same plugin. It worked. > > > > Next week I’ll try to put a HTTP proxy between Unity and Jupyterhub so > that I can sniff the communication between them. > > In the meantime, ideas about what could be possible misconfigured and/or > working configuration examples (both Unity and Jupyter side) are welcomed. > > > > Br, > > Zoltan > > > > *From:* Roman Krysiński <ro...@un...> > *Sent:* Friday, August 13, 2021 6:03 PM > *To:* ba...@aw... > *Cc:* Unity ML <uni...@li...> > *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - > Jupyter hub Invalid user name, credential or external authentication failed > > > > HI Zoltan, > > > > Thank you very much, that was helpful. > > > > > Does that mean my configuration posted in my first email looks fine? > > I haven't spottent problem in the Unity configuration at first glance. > > > > Looking at the JupyterHub however I noticed this: > > > 403 POST https://idp.my-domain.io:2443/oauth-token/token: > > Token endpoint is protected and all requests require proper authorization. > > Can you confirm if this is true, meaning JupyterHub queries the token > endpoint with base authentication with client id and client secret > credentials? > > > > Thank you, > > Roman > > > > > > pt., 13 sie 2021 o 16:18 <ba...@aw...> napisał(a): > > Hi Roman, > > > > Many thanks for looking into it. > > > > >Just check the scenario manually on my local environment for the version > you are using, but I was not able to reproduce the problem. > Does that mean my configuration posted in my first email looks fine? > > > > > please enable the logging for the rest subsystem to the trace level > > Unity logs: > ========= > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 > authorization endpoint > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request > processing > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Request to protected address, with > OAuth2 input, will be processed: /oauth/oauth2-authz > > 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Parsed OAuth request: > response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io > %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid > > 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Request with OAuth input handled > successfully > > 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE > unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth > request, forwarding to consent UI > > 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile > Embedded]] Unprocessed data from local database: > > Entity 49: > > - [userName] bakcsa > > - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm > > - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm > > - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm > > Attributes: > > - sys:LastAuthentication: [2021-08-13T12:10:25] > > - firstname: [Zoltan] > > - surname: [Bakcsa] > > - name: [Zoltan Bakcsa] > > - sys:AuthorizationRole: [System Manager] > > - sys:CredentialRequirements: [Password requirement] > > - email: [{"value":ba...@aw... > ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] > > - sys:Preferences: > [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate > credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] > > In group: / > > Groups: [/moderators, /] > > Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30 > > Requester attributes: > > - sys:oauth:clientType: [CONFIDENTIAL] > > - sys:oauth:allowedReturnURI: [ > https://www.my-domain.io/jupyter/hub/oauth_callback] > > - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, > openidHybrid] > > - sys:oauth:clientName: [Jupyter hub login] > > Protocol: OAuth2:authorizationCode > > 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationRule:[[TrProfile > Embedded], [r: 1]] Condition OK > > 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG > unity.server.externaltranslation.CreateAttributeAction:[[TrProfile > Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] > Created a new attribute: userName: [bakcsa] with meta [userName, userName, > false] > > 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationEngine: Output > translation result: > > TranslationResult: > > attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], > sys:CredentialRequirements: [Password requirement] with meta > [sys:CredentialRequirements, Defines which credential requirements are set > for the owner, false], email: [{"value":ba...@aw...,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] > with meta [E-mail address, E-mail address, false], sys:Preferences: > [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate > credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] > with meta [sys:Preferences, Preferences of the user, false], surname: > [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta > [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] > with meta [sys:LastAuthentication, Stores date and time of the last > successful authentication. The format is ISO time in UTC time zone with > seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] > with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] > with meta [Authorization role, Defines what operations are allowed for the > bearer. The attribute of this type defines the access in the group where it > is defined and in all subgroups. In subgroup it can be redefined to grant > more access. Roles: > > <b>System Manager</b> - System manager with all privileges. > > <b>Contents Manager</b> - Allows for performing all management operations > related to groups, entities and attributes. Also allows for reading > information about hidden attributes. > > <b>Privileged Inspector</b> - Allows for reading entities, groups and > attributes, including the attributes visible locally only. No modifications > are possible > > <b>Inspector</b> - Allows for reading entities, groups and attributes. No > modifications are possible > > <b>Regular User</b> - Allows owners for reading of the basic system > information, retrieval of information about themselves and also for > changing self managed attributes, identities and passwords > > <b>Anonymous User</b> - Allows for minimal access to the system: owners > can get basic system information and retrieve information about themselves > > , false]] > > identities=[[userName] bakcsa, [persistent] > 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] > 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] > 473eea20-47b6-4180-b02f-81559c521e4d for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm] > > attributesToPersist=[] > > identitiesToPersist=[] > > redirectURL=null > > 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE > unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd > > 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE > unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found > > 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE > unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny > > 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG > unity.server.rest.AuthenticationInterceptor: Authentication set failed to > authenticate the client using flow pwd, will try another: > pl.edu.icm.unity.engine.api.authn.AuthenticationException: > AuthenticationProcessorImpl.authnFailed > > 2021-08-13T12:37:25,379 [qtp620381176-29] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > > 2021-08-13T12:37:25,380 [qtp620381176-29] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > ... 56 more > > 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG > unity.server.rest.EngineExceptionMapper: Access denied for rest client > > pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user > name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > > > > > Jupyter-hub logs: > ============== > > swarm-1 | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET > /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms > > swarm-1 | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET > /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f > (@::ffff:10.0.0.2) 1.32ms > > swarm-1 | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth > redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback' > > swarm-1 | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting > cookie oauthenticator-state: {'httponly': True, 'expires_days': 1} > > swarm-1 | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET > /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> > https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid > <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> > (@::ffff:10.0.0.2) 1.87ms > > swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error > fetching access token 403 POST > https://idp.my-domain.io:2443/oauth-token/token: { > > swarm-1 | "error": "AuthenticationException", > > swarm-1 | "message": "Invalid user name, credential or external > authentication failed. " > > swarm-1 | } > > swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught > exception GET > /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D > (::ffff:10.0.0.2) > > swarm-1 | HTTPServerRequest(protocol='http', host='my-domain.io', > method='GET', > uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', > version='HTTP/1.1', remote_ip='::ffff:10.0.0.2') > > swarm-1 | Traceback (most recent call last): > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in > _execute > > swarm-1 | result = await result > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 231, in get > > swarm-1 | user = await self.login_user() > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line > 754, in login_user > > swarm-1 | authenticated = await self.authenticate(data) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in > get_authenticated_user > > swarm-1 | authenticated = await > maybe_future(self.authenticate(handler, data)) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line > 169, in authenticate > > swarm-1 | token_resp_json = await self._get_token(headers, > params) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 390, in fetch > > swarm-1 | raise e > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 369, in fetch > > swarm-1 | resp = await self.http_client.fetch(req, **kwargs) > > swarm-1 | tornado.httpclient.HTTPClientError: HTTP 403: Forbidden > > swarm-1 | > > swarm-1 | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template > for 500 > > swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:181] { > > swarm-1 | "X-Forwarded-Proto": "http", > > swarm-1 | "X-Forwarded-Port": "80", > > swarm-1 | "Connection": "close", > > swarm-1 | "X-Forwarded-Server": "my-domain.io", > > swarm-1 | "X-Forwarded-Host": "my-domain.io", > > swarm-1 | "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2", > > swarm-1 | "Cookie": > "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; > jupyterhub-session-id=[secret]; _xsrf=[secret]; > oauthenticator-state=[secret]", > > swarm-1 | "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7", > > swarm-1 | "Accept-Encoding": "gzip, deflate, br", > > swarm-1 | "Referer": https://idp.my-domain.io:2443/, > > swarm-1 | "Sec-Ch-Ua-Mobile": "?0", > > swarm-1 | "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not > A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"", > > swarm-1 | "Sec-Fetch-Dest": "document", > > swarm-1 | "Sec-Fetch-User": "?1", > > swarm-1 | "Sec-Fetch-Mode": "navigate", > > swarm-1 | "Sec-Fetch-Site": "same-site", > > swarm-1 | "Accept": > "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", > > swarm-1 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; > x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 > Safari/537.36 Edg/92.0.902.73", > > swarm-1 | "Upgrade-Insecure-Requests": "1", > > swarm-1 | "Cache-Control": "max-age=0", > > swarm-1 | "Host": "my-domain.io" > > swarm-1 | } > > swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET > /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) > 72.98ms > > > > > > *From:* Roman Krysiński <ro...@un...> > *Sent:* Friday, August 13, 2021 11:54 AM > *To:* ba...@aw... > *Cc:* Unity ML <uni...@li...> > *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - > Jupyter hub Invalid user name, credential or external authentication failed > > > > > > HI Zoltan, > > > > Just check the scenario manually on my local environment for the version > you are using, but I was not able to reproduce the problem. > > > > In order to proceed further with investigation, please enable the logging > for the rest subsystem to the trace level, do a re-test of your scenario > and provide the log records from the unity. > > > > To enable trace logging for rest, make sure to have the following in > log4j2.xml file > > <Logger name="unity.server.rest" level="TRACE"/> > > Also if you could enable the trace logging for Jupyter and provide output > that would be helpful. One thing which is puzzling me is why the oauth > client queries the revocation endpoint after login? > > > > Thank you, > > Roman > > > > *From:* Roman Krysiński <ro...@un...> > *Sent:* Thursday, August 12, 2021 12:02 PM > *To:* ba...@aw... > *Cc:* Unity ML <uni...@li...> > *Subject:* Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid > user name, credential or external authentication failed > > > > HI Zoltan, > > > > This is to let you know that we are working on this, and we will let you > know after investigation. > > > > Thanks for reaching out to the community. > > Roman > > > > śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a): > > Dear Unity community, > > > > I’m trying to integrate Jupyter hub with Unity-idm. My goal is to > authenticate users using OpenID Connect. > > > > Unity version: > > 3.2.3 > > > > Relevant configuration: > > Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg > > Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg > > Jupyter-hub-client: https://snipboard.io/6olp81.jpg > > > > Relevant part of jupyterhub_config.py: > > > > c.GenericOAuthenticator.client_id="removed " > > c.GenericOAuthenticator.client_secret="removed" > > c.GenericOAuthenticator.oauth_callback_url= > https://www.mydomain.io/jupyter/hub/oauth_callback > > c.GenericOAuthenticator.authorize_url= > https://idp.mydomain.io:2443/oauth/oauth2-authz > > c.GenericOAuthenticator.token_url= > https://idp.mydomain.io:2443/oauth-token/token > > c.GenericOAuthenticator.userdata_url= > https://idp.mydomain.io:2443/oauth-token/userinfo > > c.GenericOAuthenticator.username_key="userName" > > #c.GenericOAuthenticator.userdata_params.state="state" > > c.GenericOAuthenticator.userdata_params = {'state': 'state'} > > c.GenericOAuthenticator.scope = ['profile','openid'] > > > > I’ve double checked the client_id and secret many times, I’m pretty sure > they are correct. > > What happens: > > 1. Go to https://mydomain.io/jupyter/ > 2. Click on “Sign in with OAuth 2.0” button > 3. Redirect to unity at > https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry > 4. Login with my username/password > 5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg > 6. After clicking on the Confirm button I get redirected to Jupyter > hub where I get a “500: Internal Server Error”. > > > > Checking unity logs I see the following warning: > > WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > (Full stack trace at the end of the email.) > > > > This message does not tell much to me, all credentials are correct that I > configured. > > Could someone help me out? Did I misconfigure something? > > > > Cheers, > > Zoltan Bakcsa > > > > > > 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > ... 56 more > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > |
|
From: Krzysztof B. <kb...@un...> - 2021-08-17 12:35:46
|
Hi, W dniu 17.08.2021 o 14:08, Roman Krysiński pisze: > Hi Zoltan, > > > In the meantime, ideas about what could be possible misconfigured > and/or working configuration examples (both Unity and Jupyter side) > are welcomed. > Note that I was not using Jupyter for my tests, I just configured > unity according to your screenshots and used https://oauth.tools/ > <https://oauth.tools/> for testing, > Please check whether clientId and secret configured in > jupyterhub_config.py are the same with those generated by Unity, or > regenerate client credentials in Unity and update Jupyter config file. > > As an aside, I noticed that Jupyter under the hood is using Tornado as > a networking library, consider enabling the Tornado lib logging to see > more details in the Jupyter log: > https://www.tornadoweb.org/en/stable/log.html > <https://www.tornadoweb.org/en/stable/log.html>. > One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as in Unity you can have multiple password credentials). You can also try to use command line tool as curl to make a request to the token endpoint in unity. Perhaps you won't be able to easily provide proper token, but at least you should be able to authenticate and get some OAuth-level error instead of an early authN error. This would confirm that correct credential is configured on Unity side. Best, Krzysztof |
|
From: <ba...@aw...> - 2021-08-25 13:35:15
|
Dear Krzysztof,
>One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as >in Unity you can have multiple password credentials).
Could you please describe how to do this step-by-step? I'm afraid I do not speak the Unity language yet.
Also, in my first email I linked screenshots of the whole configuration. Can you check whether the authenticator is linked to the correct credential?
Perhaps you could point me to the relevant part in the documentation?
-----Original Message-----
From: Krzysztof Benedyczak <kb...@un...>
Sent: Tuesday, August 17, 2021 2:36 PM
To: Roman Krysiński <ro...@un...>; ba...@aw...
Cc: Unity ML <uni...@li...>
Subject: *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid user name, credential or external authentication failed
Hi,
W dniu 17.08.2021 o 14:08, Roman Krysiński pisze:
> Hi Zoltan,
>
> > In the meantime, ideas about what could be possible misconfigured
> and/or working configuration examples (both Unity and Jupyter side)
> are welcomed.
> Note that I was not using Jupyter for my tests, I just configured
> unity according to your screenshots and used https://oauth.tools/
> <https://oauth.tools/> for testing, Please check whether clientId and
> secret configured in jupyterhub_config.py are the same with those
> generated by Unity, or regenerate client credentials in Unity and
> update Jupyter config file.
>
> As an aside, I noticed that Jupyter under the hood is using Tornado as
> a networking library, consider enabling the Tornado lib logging to see
> more details in the Jupyter log:
> https://www.tornadoweb.org/en/stable/log.html
> <https://www.tornadoweb.org/en/stable/log.html>.
>
One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as in Unity you can have multiple password credentials).
You can also try to use command line tool as curl to make a request to the token endpoint in unity. Perhaps you won't be able to easily provide proper token, but at least you should be able to authenticate and get some OAuth-level error instead of an early authN error. This would confirm that correct credential is configured on Unity side.
Best,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2021-08-30 08:25:40
|
Dear Zoltan,
W dniu 25.08.2021 o 15:34, ba...@aw... pisze:
> Dear Krzysztof,
>
>> One more thing to check: please ensure that your authenticator used by OAuth token endpoint ('pwd') is linked to a *password credential* that is actually set for the client. It is a common pitfall (as >in Unity you can have multiple password credentials).
> Could you please describe how to do this step-by-step? I'm afraid I do not speak the Unity language yet.
> Also, in my first email I linked screenshots of the whole configuration. Can you check whether the authenticator is linked to the correct credential?
> Perhaps you could point me to the relevant part in the documentation?
One of the screenshots you have shared shows that your OAuth clients are
configured to authenticate with the *authenticator* called 'pwd'.
Now this authenticator is defining how to check the client's credential.
In Authentication -> Facilities you will find the list of your
authenticators. Locate entry 'pwd' there and check details. It should be
an authenticator of type 'password' (i.e. checking passwords stored
locally). And in its configuration there will be a password credential
selected, which is used by this authenticator. Note it down.
Next check if your client (in Directory browser) has this particular
password credential set. Note that you can define multiple password
credentials for your system (e.g. one for admins with high security
requirements, one for ordinary users with lower requirements). Also
unity defines one by its own (used to for the initial admin's password).
So it is likely you have >1, and make sure the authenticator is using
the correct one.
HTH,
Krzysztof
|
|
From: Zoltan B. <ba...@aw...> - 2021-08-30 13:26:23
|
Dear Krzysztof, First of all: now it works, many thanks for the help. > One of the screenshots you have shared shows that your OAuth clients are > configured to authenticate with the *authenticator* called 'pwd'. Yes, but that 'pwd' authenticator is under Identity provider>Jupyter hub login>Users authentication (https://snipboard.io/rUS3MP.jpg). Since it is under Users authentication I assumed that authenticator is used (only) for checking user's credentials and not the client credentials. > Next check if your client (in Directory browser) has this particular > password credential set. I did not have a password configured there. Once I set it (with Update credential button in the context menu) and adjusted the jupyter hub config it started to work. I must have overlooked the relevant part in the docs. However, it is still super confusing to me. Now I have 2 "passwords" for the client. The one that can be set in the directory browser here: https://snipboard.io/BEAplM.jpg And another one that can be set under Identity Provider>Jupyter hub login> Oauth client> [client ID]>Client secret : https://snipboard.io/YnEado.jpg Of course, up to now I tried to use the client secret from this latter option, which did not work. What is the purpose of the Client secret then? Br, Zoltan On 8/30/2021 10:25 AM, Krzysztof Benedyczak wrote: > Dear Zoltan, > > > W dniu 25.08.2021 o 15:34, ba...@aw... pisze: >> Dear Krzysztof, >> >>> One more thing to check: please ensure that your authenticator used >>> by OAuth token endpoint ('pwd') is linked to a *password credential* >>> that is actually set for the client. It is a common pitfall (as >in >>> Unity you can have multiple password credentials). >> Could you please describe how to do this step-by-step? I'm afraid I do >> not speak the Unity language yet. >> Also, in my first email I linked screenshots of the whole >> configuration. Can you check whether the authenticator is linked to >> the correct credential? >> Perhaps you could point me to the relevant part in the documentation? > > One of the screenshots you have shared shows that your OAuth clients are > configured to authenticate with the *authenticator* called 'pwd'. > > Now this authenticator is defining how to check the client's credential. > In Authentication -> Facilities you will find the list of your > authenticators. Locate entry 'pwd' there and check details. It should be > an authenticator of type 'password' (i.e. checking passwords stored > locally). And in its configuration there will be a password credential > selected, which is used by this authenticator. Note it down. > > Next check if your client (in Directory browser) has this particular > password credential set. Note that you can define multiple password > credentials for your system (e.g. one for admins with high security > requirements, one for ordinary users with lower requirements). Also > unity defines one by its own (used to for the initial admin's password). > So it is likely you have >1, and make sure the authenticator is using > the correct one. > > HTH, > Krzysztof > |
.){kind=link}
|
From: Krzysztof B. <kb...@un...> - 2021-08-31 09:22:04
|
Dear Zoltan, W dniu 30.08.2021 o 15:26, Zoltan Bakcsa pisze: > Dear Krzysztof, > > First of all: now it works, many thanks for the help. > > > One of the screenshots you have shared shows that your OAuth clients > are > > configured to authenticate with the *authenticator* called 'pwd'. > > Yes, but that 'pwd' authenticator is under > Identity provider>Jupyter hub login>Users authentication > (https://snipboard.io/rUS3MP.jpg). Since it is under Users > authentication I assumed that authenticator is used (only) for > checking user's credentials and not the client credentials. Yes, it is used there, however it was also present on this screenshot: https://snipboard.io/pTxEek.jpg So you have reused the same authenticator for authenticating users as well as OAuth client. This, on its own, can be a valid setup. > > Next check if your client (in Directory browser) has this particular > > password credential set. > > I did not have a password configured there. Once I set it (with Update > credential button in the context menu) and adjusted the jupyter hub > config it started to work. I must have overlooked the relevant part in > the docs. > > However, it is still super confusing to me. > Now I have 2 "passwords" for the client. > The one that can be set in the directory browser here: > https://snipboard.io/BEAplM.jpg > > And another one that can be set under Identity Provider>Jupyter hub > login> Oauth client> [client ID]>Client secret : > https://snipboard.io/YnEado.jpg > > Of course, up to now I tried to use the client secret from this latter > option, which did not work. > What is the purpose of the Client secret then? > Hmm, that should set up exactly the same credential - you can access that from two places. From directory you can set all credentials and from IdP -> client you should be only setting the one used for OAuth. I'll recheck that, maybe we have some regression there, but most likely there was some save click missing. Anyway we should improve the UI there to show whether the client secret is set or not. Best, Krzysztof > Br, > Zoltan > > On 8/30/2021 10:25 AM, Krzysztof Benedyczak wrote: >> Dear Zoltan, >> >> >> W dniu 25.08.2021 o 15:34, ba...@aw... pisze: >>> Dear Krzysztof, >>> >>>> One more thing to check: please ensure that your authenticator used >>>> by OAuth token endpoint ('pwd') is linked to a *password >>>> credential* that is actually set for the client. It is a common >>>> pitfall (as >in Unity you can have multiple password credentials). >>> Could you please describe how to do this step-by-step? I'm afraid I >>> do not speak the Unity language yet. >>> Also, in my first email I linked screenshots of the whole >>> configuration. Can you check whether the authenticator is linked to >>> the correct credential? >>> Perhaps you could point me to the relevant part in the documentation? >> >> One of the screenshots you have shared shows that your OAuth clients >> are configured to authenticate with the *authenticator* called 'pwd'. >> >> Now this authenticator is defining how to check the client's >> credential. In Authentication -> Facilities you will find the list of >> your authenticators. Locate entry 'pwd' there and check details. It >> should be an authenticator of type 'password' (i.e. checking >> passwords stored locally). And in its configuration there will be a >> password credential selected, which is used by this authenticator. >> Note it down. >> >> Next check if your client (in Directory browser) has this particular >> password credential set. Note that you can define multiple password >> credentials for your system (e.g. one for admins with high security >> requirements, one for ordinary users with lower requirements). Also >> unity defines one by its own (used to for the initial admin's >> password). So it is likely you have >1, and make sure the >> authenticator is using the correct one. >> >> HTH, >> Krzysztof >> |
|
From: Roman K. <ro...@un...> - 2021-08-13 16:03:26
|
HI Zoltan, Thank you very much, that was helpful. > Does that mean my configuration posted in my first email looks fine? I haven't spottent problem in the Unity configuration at first glance. Looking at the JupyterHub however I noticed this: > 403 POST https://idp.my-domain.io:2443/oauth-token/token: Token endpoint is protected and all requests require proper authorization. Can you confirm if this is true, meaning JupyterHub queries the token endpoint with base authentication with client id and client secret credentials? Thank you, Roman pt., 13 sie 2021 o 16:18 <ba...@aw...> napisał(a): > Hi Roman, > > > > Many thanks for looking into it. > > > > >Just check the scenario manually on my local environment for the version > you are using, but I was not able to reproduce the problem. > Does that mean my configuration posted in my first email looks fine? > > > > > please enable the logging for the rest subsystem to the trace level > > Unity logs: > ========= > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Received GET request to the OAuth2 > authorization endpoint > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Starting OAuth2 authorization request > processing > > 2021-08-13T12:37:16,122 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Request to protected address, with > OAuth2 input, will be processed: /oauth/oauth2-authz > > 2021-08-13T12:37:16,123 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Parsed OAuth request: > response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io > %2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=eyJzdGF0ZV9pZCI6ICJjNTAxMmRlYTYxMTQ0ZGUzOTgwZDkzMmI0MzkwYTFmZSIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D&scope=profile+openid > > 2021-08-13T12:37:16,134 [qtp620381176-33] TRACE > unity.server.oauth.OAuthParseServlet: Request with OAuth input handled > successfully > > 2021-08-13T12:37:16,170 [qtp620381176-36] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:16,219 [qtp620381176-36] TRACE > unity.server.oauth.ASConsentDeciderServlet: Consent is required for OAuth > request, forwarding to consent UI > > 2021-08-13T12:37:16,328 [qtp620381176-36] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:16,425 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationProfile:[[TrProfile > Embedded]] Unprocessed data from local database: > > Entity 49: > > - [userName] bakcsa > > - [persistent] 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm > > - [targetedPersistent] 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm > > - [transient] 473eea20-47b6-4180-b02f-81559c521e4d for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm > > Attributes: > > - sys:LastAuthentication: [2021-08-13T12:10:25] > > - firstname: [Zoltan] > > - surname: [Bakcsa] > > - name: [Zoltan Bakcsa] > > - sys:AuthorizationRole: [System Manager] > > - sys:CredentialRequirements: [Password requirement] > > - email: [{"value":ba...@aw... > ,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] > > - sys:Preferences: > [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate > credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] > > In group: / > > Groups: [/moderators, /] > > Requester: 08e778e4-39a5-4a89-a5a2-ed100edf6d30 > > Requester attributes: > > - sys:oauth:clientType: [CONFIDENTIAL] > > - sys:oauth:allowedReturnURI: [ > https://www.my-domain.io/jupyter/hub/oauth_callback] > > - sys:oauth:allowedGrantFlows: [authorizationCode, implicit, client, > openidHybrid] > > - sys:oauth:clientName: [Jupyter hub login] > > Protocol: OAuth2:authorizationCode > > 2021-08-13T12:37:16,437 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationRule:[[TrProfile > Embedded], [r: 1]] Condition OK > > 2021-08-13T12:37:16,438 [qtp620381176-36] DEBUG > unity.server.externaltranslation.CreateAttributeAction:[[TrProfile > Embedded], [r: 1], [08e778e4-39a5-4a89-a5a2-ed100edf6d30 - eId: 49]] > Created a new attribute: userName: [bakcsa] with meta [userName, userName, > false] > > 2021-08-13T12:37:16,443 [qtp620381176-36] DEBUG > unity.server.externaltranslation.OutputTranslationEngine: Output > translation result: > > TranslationResult: > > attributes=[name: [Zoltan Bakcsa] with meta [Name, Name, false], > sys:CredentialRequirements: [Password requirement] with meta > [sys:CredentialRequirements, Defines which credential requirements are set > for the owner, false], email: [{"value":ba...@aw...,"confirmationData":{"confirmed":true,"confirmationDate":1,"sentRequestAmount":0},"tags":[]}] > with meta [E-mail address, E-mail address, false], sys:Preferences: > [{"pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences":"{\"spSettings\":{}}","io.imunity.webadmin.identities.IdentitiesTablePreferences":"{\"colSettings\":{\"scheduledOperation\":{\"width\":-1.0,\"order\":11,\"collapsed\":true},\"credStatus::user_password\":{\"width\":-1.0,\"order\":12,\"collapsed\":true},\"profile\":{\"width\":-1.0,\"order\":10,\"collapsed\":true},\"type\":{\"width\":-1.0,\"order\":1,\"collapsed\":false},\"local\":{\"width\":-1.0,\"order\":4,\"collapsed\":true},\"target\":{\"width\":-1.0,\"order\":7,\"collapsed\":true},\"identity\":{\"width\":-1.0,\"order\":2,\"collapsed\":false},\"credStatus::Certificate > credential\":{\"width\":-1.0,\"order\":14,\"collapsed\":true},\"dynamic\":{\"width\":-1.0,\"order\":5,\"collapsed\":true},\"realm\":{\"width\":-1.0,\"order\":8,\"collapsed\":true},\"remoteIdP\":{\"width\":-1.0,\"order\":9,\"collapsed\":true},\"entity\":{\"width\":-1.0,\"order\":0,\"collapsed\":false},\"status\":{\"width\":-1.0,\"order\":3,\"collapsed\":false},\"credReq\":{\"width\":-1.0,\"order\":6,\"collapsed\":true},\"credStatus::sys:password\":{\"width\":-1.0,\"order\":13,\"collapsed\":true}},\"checkBoxSettings\":{\"groupByEntities\":true,\"showTargeted\":true}}"}] > with meta [sys:Preferences, Preferences of the user, false], surname: > [Bakcsa] with meta [Surname, null, false], userName: [bakcsa] with meta > [userName, userName, false], sys:LastAuthentication: [2021-08-13T12:10:25] > with meta [sys:LastAuthentication, Stores date and time of the last > successful authentication. The format is ISO time in UTC time zone with > seconds precision, e.g.: 2011-12-03T10:15:30, false], firstname: [Zoltan] > with meta [Firstname, null, false], sys:AuthorizationRole: [System Manager] > with meta [Authorization role, Defines what operations are allowed for the > bearer. The attribute of this type defines the access in the group where it > is defined and in all subgroups. In subgroup it can be redefined to grant > more access. Roles: > > <b>System Manager</b> - System manager with all privileges. > > <b>Contents Manager</b> - Allows for performing all management operations > related to groups, entities and attributes. Also allows for reading > information about hidden attributes. > > <b>Privileged Inspector</b> - Allows for reading entities, groups and > attributes, including the attributes visible locally only. No modifications > are possible > > <b>Inspector</b> - Allows for reading entities, groups and attributes. No > modifications are possible > > <b>Regular User</b> - Allows owners for reading of the basic system > information, retrieval of information about themselves and also for > changing self managed attributes, identities and passwords > > <b>Anonymous User</b> - Allows for minimal access to the system: owners > can get basic system information and retrieve information about themselves > > , false]] > > identities=[[userName] bakcsa, [persistent] > 62eb128f-a74a-49d6-856c-30b70bacd6e7@defaultRealm, [targetedPersistent] > 8dc6fece-24a4-45b6-ad94-80f8b44c3a16 for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm, [transient] > 473eea20-47b6-4180-b02f-81559c521e4d for > 08e778e4-39a5-4a89-a5a2-ed100edf6d30@defaultRealm] > > attributesToPersist=[] > > identitiesToPersist=[] > > redirectURL=null > > 2021-08-13T12:37:16,572 [qtp620381176-33] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:17,632 [qtp620381176-29] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:24,831 [qtp620381176-33] TRACE > unity.server.oauth.OAuthGuardFilter: Ignoring request to Vaadin internal > address /oauth/oauth2-authz-web-entry/UIDL/ > > 2021-08-13T12:37:25,142 [qtp620381176-29] TRACE > unity.server.oauth.OAuthGuardFilter: Request to OAuth post-processing > address, with OAuth context: /oauth/oauth2-authz-web-entry > > 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE > unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd > > 2021-08-13T12:37:25,374 [qtp620381176-29] TRACE > unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found > > 2021-08-13T12:37:25,379 [qtp620381176-29] TRACE > unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned deny > > 2021-08-13T12:37:25,379 [qtp620381176-29] DEBUG > unity.server.rest.AuthenticationInterceptor: Authentication set failed to > authenticate the client using flow pwd, will try another: > pl.edu.icm.unity.engine.api.authn.AuthenticationException: > AuthenticationProcessorImpl.authnFailed > > 2021-08-13T12:37:25,379 [qtp620381176-29] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > > 2021-08-13T12:37:25,380 [qtp620381176-29] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}DiscoveryResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > ... 56 more > > 2021-08-13T12:37:25,381 [qtp620381176-29] DEBUG > unity.server.rest.EngineExceptionMapper: Access denied for rest client > > pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user > name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > > > > > Jupyter-hub logs: > ============== > > swarm-1 | [I 2021-08-13 12:46:27.940 JupyterHub log:189] 200 GET > /jupyter/hub/login?next=%2Fjupyter%2Fhub%2F (@::ffff:10.0.0.2) 3.06ms > > swarm-1 | [D 2021-08-13 12:46:28.028 JupyterHub log:189] 200 GET > /jupyter/hub/static/favicon.ico?v=fde5757cd3892b979919d3b1faa88a410f28829feb5ba22b6cf069f2c6c98675fceef90f932e49b510e74d65c681d5846b943e7f7cc1b41867422f0481085c1f > (@::ffff:10.0.0.2) 1.32ms > > swarm-1 | [I 2021-08-13 12:46:34.633 JupyterHub oauth2:111] OAuth > redirect: 'https://www.my-domain.io/jupyter/hub/oauth_callback' > > swarm-1 | [D 2021-08-13 12:46:34.633 JupyterHub base:526] Setting > cookie oauthenticator-state: {'httponly': True, 'expires_days': 1} > > swarm-1 | [I 2021-08-13 12:46:34.634 JupyterHub log:189] 302 GET > /jupyter/hub/oauth_login?next=%2Fjupyter%2Fhub%2F -> > https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=[secret]&scope=profile+openid > <https://idp.my-domain.io:2443/oauth/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fwww.my-domain.io%2Fjupyter%2Fhub%2Foauth_callback&client_id=08e778e4-39a5-4a89-a5a2-ed100edf6d30&state=%5bsecret%5d&scope=profile+openid> > (@::ffff:10.0.0.2) 1.87ms > > swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub oauth2:389] Error > fetching access token 403 POST > https://idp.my-domain.io:2443/oauth-token/token: { > > swarm-1 | "error": "AuthenticationException", > > swarm-1 | "message": "Invalid user name, credential or external > authentication failed. " > > swarm-1 | } > > swarm-1 | [E 2021-08-13 12:46:36.636 JupyterHub web:1789] Uncaught > exception GET > /jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D > (::ffff:10.0.0.2) > > swarm-1 | HTTPServerRequest(protocol='http', host='my-domain.io', > method='GET', > uri='/jupyter/hub/oauth_callback?code=pRxT-T8ySyI8UJxnRTtSShspr_GWNZvYazCWR_Nlb40&state=eyJzdGF0ZV9pZCI6ICJjMTk4OGYyMmY5ZTA0ZTQ1YWUzMTBmY2Q4MDEwMTIwMyIsICJuZXh0X3VybCI6ICIvanVweXRlci9odWIvIn0%3D', > version='HTTP/1.1', remote_ip='::ffff:10.0.0.2') > > swarm-1 | Traceback (most recent call last): > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/tornado/web.py", line 1704, in > _execute > > swarm-1 | result = await result > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 231, in get > > swarm-1 | user = await self.login_user() > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/jupyterhub/handlers/base.py", line > 754, in login_user > > swarm-1 | authenticated = await self.authenticate(data) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/jupyterhub/auth.py", line 469, in > get_authenticated_user > > swarm-1 | authenticated = await > maybe_future(self.authenticate(handler, data)) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/generic.py", line > 169, in authenticate > > swarm-1 | token_resp_json = await self._get_token(headers, > params) > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 390, in fetch > > swarm-1 | raise e > > swarm-1 | File > "/usr/local/lib/python3.8/dist-packages/oauthenticator/oauth2.py", line > 369, in fetch > > swarm-1 | resp = await self.http_client.fetch(req, **kwargs) > > swarm-1 | tornado.httpclient.HTTPClientError: HTTP 403: Forbidden > > swarm-1 | > > swarm-1 | [D 2021-08-13 12:46:36.638 JupyterHub base:1285] No template > for 500 > > swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:181] { > > swarm-1 | "X-Forwarded-Proto": "http", > > swarm-1 | "X-Forwarded-Port": "80", > > swarm-1 | "Connection": "close", > > swarm-1 | "X-Forwarded-Server": "my-domain.io", > > swarm-1 | "X-Forwarded-Host": "my-domain.io", > > swarm-1 | "X-Forwarded-For": "82.218.144.186,::ffff:10.0.0.2", > > swarm-1 | "Cookie": > "_shibsession_64656661756c7468747470733a2f2f706f6c61727465702e696f2f73686962626f6c657468=[secret]; > jupyterhub-session-id=[secret]; _xsrf=[secret]; > oauthenticator-state=[secret]", > > swarm-1 | "Accept-Language": "en-US,en;q=0.9,hu;q=0.8,de;q=0.7", > > swarm-1 | "Accept-Encoding": "gzip, deflate, br", > > swarm-1 | "Referer": https://idp.my-domain.io:2443/, > > swarm-1 | "Sec-Ch-Ua-Mobile": "?0", > > swarm-1 | "Sec-Ch-Ua": "\"Chromium\";v=\"92\", \" Not > A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"92\"", > > swarm-1 | "Sec-Fetch-Dest": "document", > > swarm-1 | "Sec-Fetch-User": "?1", > > swarm-1 | "Sec-Fetch-Mode": "navigate", > > swarm-1 | "Sec-Fetch-Site": "same-site", > > swarm-1 | "Accept": > "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", > > swarm-1 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; > x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 > Safari/537.36 Edg/92.0.902.73", > > swarm-1 | "Upgrade-Insecure-Requests": "1", > > swarm-1 | "Cache-Control": "max-age=0", > > swarm-1 | "Host": "my-domain.io" > > swarm-1 | } > > swarm-1 | [E 2021-08-13 12:46:36.640 JupyterHub log:189] 500 GET > /jupyter/hub/oauth_callback?code=[secret]&state=[secret] (@::ffff:10.0.0.2) > 72.98ms > > > > > > *From:* Roman Krysiński <ro...@un...> > *Sent:* Friday, August 13, 2021 11:54 AM > *To:* ba...@aw... > *Cc:* Unity ML <uni...@li...> > *Subject:* *****SPAM***** Re: [Unity-idm-discuss] OpenID connect - > Jupyter hub Invalid user name, credential or external authentication failed > > > > > > HI Zoltan, > > > > Just check the scenario manually on my local environment for the version > you are using, but I was not able to reproduce the problem. > > > > In order to proceed further with investigation, please enable the logging > for the rest subsystem to the trace level, do a re-test of your scenario > and provide the log records from the unity. > > > > To enable trace logging for rest, make sure to have the following in > log4j2.xml file > > <Logger name="unity.server.rest" level="TRACE"/> > > Also if you could enable the trace logging for Jupyter and provide output > that would be helpful. One thing which is puzzling me is why the oauth > client queries the revocation endpoint after login? > > > > Thank you, > > Roman > > > > *From:* Roman Krysiński <ro...@un...> > *Sent:* Thursday, August 12, 2021 12:02 PM > *To:* ba...@aw... > *Cc:* Unity ML <uni...@li...> > *Subject:* Re: [Unity-idm-discuss] OpenID connect - Jupyter hub Invalid > user name, credential or external authentication failed > > > > HI Zoltan, > > > > This is to let you know that we are working on this, and we will let you > know after investigation. > > > > Thanks for reaching out to the community. > > Roman > > > > śr., 11 sie 2021 o 17:34 <ba...@aw...> napisał(a): > > Dear Unity community, > > > > I’m trying to integrate Jupyter hub with Unity-idm. My goal is to > authenticate users using OpenID Connect. > > > > Unity version: > > 3.2.3 > > > > Relevant configuration: > > Identity Provider - General tab: https://snipboard.io/WXrU3V.jpg > > Identity Provider - Clients tab: https://snipboard.io/pTxEek.jpg > > Jupyter-hub-client: https://snipboard.io/6olp81.jpg > > > > Relevant part of jupyterhub_config.py: > > > > c.GenericOAuthenticator.client_id="removed " > > c.GenericOAuthenticator.client_secret="removed" > > c.GenericOAuthenticator.oauth_callback_url= > https://www.mydomain.io/jupyter/hub/oauth_callback > > c.GenericOAuthenticator.authorize_url= > https://idp.mydomain.io:2443/oauth/oauth2-authz > > c.GenericOAuthenticator.token_url= > https://idp.mydomain.io:2443/oauth-token/token > > c.GenericOAuthenticator.userdata_url= > https://idp.mydomain.io:2443/oauth-token/userinfo > > c.GenericOAuthenticator.username_key="userName" > > #c.GenericOAuthenticator.userdata_params.state="state" > > c.GenericOAuthenticator.userdata_params = {'state': 'state'} > > c.GenericOAuthenticator.scope = ['profile','openid'] > > > > I’ve double checked the client_id and secret many times, I’m pretty sure > they are correct. > > What happens: > > 1. Go to https://mydomain.io/jupyter/ > 2. Click on “Sign in with OAuth 2.0” button > 3. Redirect to unity at > https://idp.mydomain.io:2443/oauth/oauth2-authz-web-entry > 4. Login with my username/password > 5. Confirmation dialog: https://snipboard.io/XG5Ui8.jpg > 6. After clicking on the Confirm button I get redirected to Jupyter > hub where I get a “500: Internal Server Error”. > > > > Checking unity logs I see the following warning: > > WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > (Full stack trace at the end of the email.) > > > > This message does not tell much to me, all credentials are correct that I > configured. > > Could someone help me out? Did I misconfigure something? > > > > Cheers, > > Zoltan Bakcsa > > > > > > 2021-08-11T14:30:40,648 [qtp1132146097-94] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for { > http://token.as.oauth.unity.icm.edu.pl/}RevocationResource has thrown > exception, unwinding now > > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:118) > ~[unity-server-rest-3.2.3.jar:?] > > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > ~[cxf-core-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) > ~[javax.servlet-api-3.1.0.jar:3.1.0] > > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) > ~[cxf-rt-transports-http-3.3.1.jar:3.3.1] > > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:310) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:264) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:472) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:325) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:295) > ~[jetty-servlets-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) > ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) > ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at org.eclipse.jetty.server.Server.handle(Server.java:500) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) > ~[unity-server-engine-3.2.3.jar:?] > > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) > ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) > [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) > [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) > [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022] > > at java.lang.Thread.run(Thread.java:829) [?:?] > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:109) > ~[unity-server-rest-3.2.3.jar:?] > > ... 56 more > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X