NUKIB/misp

OIDC integration with Okta

Opened this issue · 2 comments

Hi all,

Not sure if this counts as a totally new issue or rather a follow on to OIDC Integration #20. I'm trying to integrate with Okta and not having success. I have tried many variations of config changes based on the discussions in #20 and also some other suggestions found online. I am brand new to this and I don't know enough to know if the lack of success is due to something on the Okta side or the OIDC integrations itself.

As the situation stands now, I am redirected to Okta to authenticate and the Okta app appears to be configured correctly to provide the required role claim. From /var/log/httpd/error.log:

oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_roles: misp-access", referer:...

And there are log entries that appear to show successful authorization based on the role. Again from error.log:

mod_authz_core.c(820): [client 192.168.X.X:15786] AH01626: authorization result of Require claim roles:misp-access: granted

However, then there are later log entries further on that that appear to show authorization failed.

mod_authz_core.c(820): [client 192.168.X.X:2782] AH01626: authorization result of Require claim roles:misp-access: denied (no authenticated user yet)

After authenticating with Okta, the web UI redirects to an error page that says:

`
An Internal Error Has Occurred.

Error: An Internal Error Has Occurred. Please try your action again. If the problem persists, please contact administrator.
`

In /var/www/MISP/app/tmp/logs/error.log, there are the following log entries:

2022-10-31 22:02:39 Error: [JakubOnderka\ErrorResponse] Error 'invalid_client' received from IdP: The audience claim for client_assertion must be the endpoint invoked for the request. Request URL: /users/login Stack Trace: #0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(890): JakubOnderka\OpenIDConnectClient->endpointRequest() #1 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(555): JakubOnderka\OpenIDConnectClient->requestAuthorization() #2 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(22): JakubOnderka\OpenIDConnectClient->authenticate() #3 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(32): Oidc->authenticate() #4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate() #5 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify() #6 /var/www/MISP/app/Controller/UsersController.php(1214): AuthComponent->login() #7 [internal function]: UsersController->login() #8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs() #9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction() #10 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke() #11 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch() #12 {main}

Again, I have tried many different configuration variations both within the Okta app as well as with the MISP instance. Would anyone have thoughts on what the issue might be?

@ondj I'm getting a similar issue now;

oidc_authz successful

[Mon Aug 21 21:39:27.105460 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(199): [client 172.31.0.1:56828] oidc_authz_match_claim: evaluating key "roles"
[Mon Aug 21 21:39:27.105463 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(63): [client 172.31.0.1:56828] oidc_authz_match_value: matching: spec_c=misp-access, key=roles
[Mon Aug 21 21:39:27.105466 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(451): [client 172.31.0.1:56828] oidc_authz_worker24: require claim/expr 'roles:misp-access' matched
[Mon Aug 21 21:39:27.105471 2023] [authz_core:debug] [pid 420:tid 281472785362896] mod_authz_core.c(820): [client 172.31.0.1:56828] AH01626: authorization result of Require claim roles:misp-access: granted
[Mon Aug 21 21:39:27.105474 2023] [authz_core:debug] [pid 420:tid 281472785362896] mod_authz_core.c(820): [client 172.31.0.1:56828] AH01626: authorization result of <RequireAny>: granted
[Mon Aug 21 21:39:27.105494 2023] [proxy:debug] [pid 420:tid 281472785362896] mod_proxy.c(1265): [client 172.31.0.1:56828] AH01143: Running scheme unix handler (attempt 0)
[Mon Aug 21 21:39:27.105498 2023] [proxy_fcgi:debug] [pid 420:tid 281472785362896] mod_proxy_fcgi.c(1021): [client 172.31.0.1:56828] AH01076: url: fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/index.php proxyname: (null) proxyport: 0
[Mon Aug 21 21:39:27.105501 2023] [proxy_fcgi:debug] [pid 420:tid 281472785362896] mod_proxy_fcgi.c(1028): [client 172.31.0.1:56828] AH01078: serving URL fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/index.php
[Mon Aug 21 21:39:27.105505 2023] [proxy:debug] [pid 420:tid 281472785362896] proxy_util.c(2353): AH00942: FCGI: has acquired connection for (127.0.0.1)

Error once authenticated

2023-08-21 21:39:26 Error: [JakubOnderka\ErrorResponse] Error 'invalid_client' received from IdP: The audience claim for client_assertion must be the endpoint invoked for the request.
Request URL: /users/login
Stack Trace:
#0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(890): JakubOnderka\OpenIDConnectClient->endpointRequest()
#1 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(555): JakubOnderka\OpenIDConnectClient->requestAuthorization()
#2 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(24): JakubOnderka\OpenIDConnectClient->authenticate()
#3 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(33): Oidc->authenticate()
#4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate()
#5 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify()
#6 /var/www/MISP/app/Controller/UsersController.php(1233): AuthComponent->login()
#7 [internal function]: UsersController->login()
#8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#10 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#11 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#12 {main}