Coder Social home page Coder Social logo

Comments (11)

Vladysl avatar Vladysl commented on May 29, 2024 3

Hi @mavenzer
Implemented in #1611
We added new boolean variable pkce, so, you need to specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE
We will try to release this feature during current week.

We tested it locally using keycloak with this config

      keycloak:
        provider: 'keycloak'
        client-id: 'odd-platform'
        client-secret:
        scope:
          - openid
        client-name: 'odd-platform'
        redirect-uri: 'http://localhost:8080/login/oauth2/code/keycloak'
        issuer-uri: 'http://localhost:8081/realms/odd-login'
        user-name-attribute: preferred_username
        admin-attribute: preferred_username
        admin-principals: admin
        pkce : true

from odd-platform.

Vladysl avatar Vladysl commented on May 29, 2024 2

Hi @mavenzer
auth.oauth2.client.{client-id}.redirect-uri. Redirect URL. Must be defined as {domain}/login/oauth2/code/{client-id}
but you defined as
AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI= "https://omegastar.kalix.testserver.alexnet.com/login"

More info here - https://docs.opendatadiscovery.org/configuration-and-deployment/enable-security/authentication/oauth2-oidc#other-oidc-providers

from odd-platform.

Vladysl avatar Vladysl commented on May 29, 2024

Hi @mavenzer , thank you for your feedback.
Currently, we are not supporting authentication using PKCE.
Could you please let us know?

  1. Do you have any workarounds for this?
  2. Do you have any time limits on how long you can use client_secret instead of PKCE? We will try to prioritise the implementation of this.

Also could you please provide some logs from odd-platform.

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Hi @Vladysl,

There is nothing specific in the logs(I'm attaching the logs below)
So by policy our SSO doesn't support client secret, and currently only PKCE is supported.

We are also looking into the implementation of LDAP.

PLatform LOGS


  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v3.1.0)

2024-02-05T16:18:52.592Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : Starting ODDPlatformApplication using Java 17.0.2 with PID 1 (/app/classes started by 1005330000 in /app)
2024-02-05T16:18:52.596Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : No active profile set, falling back to 1 default profile: "default"
2024-02-05T16:18:56.495Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode
2024-02-05T16:18:56.498Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2024-02-05T16:18:56.721Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 213 ms. Found 0 Redis repository interfaces.
2024-02-05T16:18:59.720Z  INFO 1 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2024-02-05T16:19:00.195Z  INFO 1 --- [           main] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@7455204c
2024-02-05T16:19:00.197Z  INFO 1 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
2024-02-05T16:19:00.400Z  INFO 1 --- [           main] o.f.core.internal.command.DbValidate     : Successfully validated 86 migrations (execution time 00:00.170s)
2024-02-05T16:19:00.411Z  INFO 1 --- [           main] o.f.core.internal.command.DbMigrate      : Current version of schema "public": 0.0.86
2024-02-05T16:19:00.412Z  WARN 1 --- [           main] o.f.core.internal.command.DbMigrate      : Schema "public" has a version (0.0.86) that is newer than the latest available migration (0.0.85) !
2024-02-05T16:19:00.413Z  INFO 1 --- [           main] o.f.core.internal.command.DbMigrate      : Schema "public" is up to date. No migration necessary.
2024-02-05T16:19:04.282Z  INFO 1 --- [           main] org.reflections.Reflections              : Reflections took 94 ms to scan 1 urls, producing 2 keys and 58 values
2024-02-05T16:19:06.021Z  INFO 1 --- [           main] ctiveUserDetailsServiceAutoConfiguration : 

Using generated security password: 4c22e6bc-7f86-43aa-91d8-6a5fd1ff910d

2024-02-05T16:19:08.197Z  INFO 1 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 4 endpoint(s) beneath base path '/actuator'
2024-02-05T16:19:09.314Z  INFO 1 --- [           main] o.s.b.web.embedded.netty.NettyWebServer  : Netty started on port 8080
2024-02-05T16:19:09.403Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : Started ODDPlatformApplication in 17.703 seconds (process running for 18.38)
2024-02-05T16:27:31.850Z  INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants                       : 
                                      
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@  @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@        @@@@@@@@@@
@@@@@@@@@@@@@@@@  @@  @@    @@@@@@@@@@
@@@@@@@@@@  @@@@  @@  @@    @@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@    @@  @@  @@@@  @@@@@@@@@@
@@@@@@@@@@    @@  @@  @@@@  @@@@@@@@@@
@@@@@@@@@@        @@  @  @  @@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@  @@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  Thank you for using jOOQ 3.18.4
                                      
2024-02-05T16:27:31.851Z  INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants                       : 

jOOQ tip of the day: In order to improve cardinality estimates, it can be valuable to auto-inline bind variables on certain columns, e.g. on enum types: https://www.jooq.org/doc/latest/manual/sql-building/dsl-context/custom-settings/settings-auto-inline-bind-values/

2024-02-05T16:34:09.467Z  INFO 1 --- [   scheduling-1] o.j.i.D.logVersionSupport                : Version                  : Database version is supported by dialect POSTGRES: 15.3

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Thanks @Vladysl for implementing it. One question which I wanted to asked whenever we are pulling the updated images:
To confirm we need to add two env variable in the deployment manifest :

           - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE
              value: "RANDOM_STRING_GENERATED_HASHES"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CHALLENGE_METHOD
              value: "S256"

Or do we need to add any other values as well?

from odd-platform.

Vladysl avatar Vladysl commented on May 29, 2024

Hi @mavenzer we are using spring boot and according to documentation
image
when you pass client-secret as empty string and specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE=true.
We will apply PKCE. We are not controlling any CHALLENGE_METHOD or CODE_CHALLENGE.

In our case with keycloak it was enough to perform authorization
Also for keycloak we specified Challenge Method = S256
image

If you have any specific cases, could you please describe them?

Example
auth page:
image
Invalid creds:
image
Valid creds:
image
image

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Thanks a lot for the explanation. @Vladysl is it possible for you to release an intermediate release(Image release) to test the connection to our auth servers with PKCE.

from odd-platform.

AndreyNenashev avatar AndreyNenashev commented on May 29, 2024

@mavenzer @Vladysl the latest minor release with pkce

https://github.com/opendatadiscovery/odd-platform/pkgs/container/odd-platform/176555201?tag=0.23.1

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Thanks a lot for the minor release. Really appreciate the efforts @AndreyNenashev @Vladysl .

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Hi @Vladysl,

I have applied the same configs as mentioned by you:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: odd-helm-odd-platform
  labels:
    helm.sh/chart: odd-platform-0.1.6
    app.kubernetes.io/name: odd-platform-test
    app.kubernetes.io/instance: odd-helm-v1
    app.kubernetes.io/version: "latest"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: odd-platform-test
      app.kubernetes.io/instance: odd-helm-v1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: odd-platform-test
        app.kubernetes.io/instance: odd-helm-v1
    spec:
      serviceAccountName: odd-helm-v1-odd-platform-test
      securityContext: {}
      containers:
        - name: odd-platform
          securityContext: {}
          image: "odd-platform:0.23.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: SPRING_DATASOURCE_URL
              value: "jdbc:postgresql://odd-postgresql.alex-testing-geting-cluster.svc.cluster.local/postgres"
            - name: SPRING_DATASOURCE_USERNAME
              value: postgres
            - name: SPRING_DATASOURCE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: odd-postgresql
                  key:  postgres-password
            - name : AUTH_TYPE
              value: "OAUTH2"
            - name : AUTH_OAUTH2_CLIENT_MOBILESSO_PROVIDER
              value:  "mobilesso"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_ID
              value: "CLIENT_ID_TESTING_ODD"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE
              value: "true"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE_METHOD
              value: "S256"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_SCOPE
              value: "openid,email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI
              value: "https://omegastar.kalix.testserver.alexnet.com/login"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_NAME
              value:  "MobileSSO"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ISSUER_URI
              value:  "https://generic-v1-test-kalix.com/FedBroker"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_USER_NAME_ATTRIBUTE
              value:  "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_ATTRIBUTE
              value: "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_PRINCIPALS
              value: "[email protected]"

          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 30
          readinessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 60
            timeoutSeconds: 30
          resources: {}
          volumeMounts: []
      volumes: []

Whenever I'm going to the URL(https://omegastar.kalix.testserver.alexnet.com/login) entering the password and username its returning with it's failing back to the same state(https://omegastar.kalix.testserver.alexnet.com/login?code=YSasasasASAXTSF7nf6YASASKLANSw50K4sWsC7LiDQmwfWd8kjESwAAAEs&state=cb5ace6d96e64530838fd2a6808b37b9) But not able to see the ODD-Interface

Any possible thing which I'm missing in the configs ?

Best Regards

from odd-platform.

mavenzer avatar mavenzer commented on May 29, 2024

Thanks a lot!

from odd-platform.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.