Using a claim other than 'roles' for OIDC
jamesacris opened this issue ยท 7 comments
Hi,
I'm attempting to use OIDC for authentication on MISP. I understand MISP by default requires the roles claim for role mapping, but unfortunately the IdP I'm using cannot populate the JWT with a roles claim. It instead provides a groups claim to achieve the same goal. So far I have set up misp and misp/admin groups which I intend to map to the misp-access and misp-admin roles.
Is it possible to use this groups claim instead of the roles claim? In what way would I need to customise the image to achieve this? Any support would be greatly appreciated ๐.
I noticed this in misp.conf:
Line 80 in 9c9c9cc
Which means that the profile scope in OIDC is not being requested - this is the scope that contains both roles and groups.
When I un-comment this line and add profile, I get different behaviour. Where before I was met with a "permission denied" page, I now hit a different OIDC error page on login, related to crypto challenge method (a seperate issue which I need to work out with my IdP) but I'd still like to know if there's a way to use groups instead of roles.
Hi !
We had the same issue and we solved it in the image with the following.
As mentionned let's suppose we have misp group for users with User role and misp/admin group for users with Admin role.
Replace this line by (for regexp syntax please refer to this page) :
Require claim "groups~misp*"
Edit this section (roles_property field is added according to this code) :
'roles_property' => 'groups',
'role_mapper" => [
'/misp' => 3, // User
'/misp/admin' => 1, // Admin
],
Hope this helps !
Hi @vba-anssi - thanks for your input, good to hear someone has managed to get it working. Your suggestions are in line with a few thing's I've tried. I will give your exact solution a try to see if I had something wrong. Did you also have to un-comment and change this line in misp.conf to require the correct scope in the jwt?
#OIDCScope "openid email"
Update:
I attempted your changes. My environment is configured as follows:
In docker-compose.yml:
OIDC_LOGIN: true
OIDC_PROVIDER: https://iris-iam.stfc.ac.uk/.well-known/openid-configuration
OIDC_CLIENT_ID: <secret>
OIDC_CLIENT_SECRET: <secret>
OIDC_AUTHENTICATION_METHOD: client_secret_jwt
OIDC_CLIENT_CRYPTO_PASS: <secret>
In misp.conf (lines 80 and 91 changed in place)
OIDCScope "openid email profile"
...
Require claim "groups~misp*"
The 'groups' claim is part of the 'profile' scope in my OIDC provider, so needs to be included as above.
In config.php under $oidcAuth - these align with the groups I have set up in the OIDC provider
'roles_property' => 'groups',
'role_mapper' => [
'misp/admins' => 1, // Admin
'misp' => 3, // User
],
With this setup I am able to log in via my IdP using OIDC, but after logging in I hit an OAuth error page:
error="invalid_client", error_description="Client's registered request object signing algorithm (null) does not match request object's actual algorithm (HS256)"
I get the impression this is a problem with my specific OIDC provider rather than MISP config, but I'm just posting it here in case it's something you/anyone has come across before.
Hello everyone,
I am trying to configure misp with oidc. I have a redirection to my IDP, an Ok authentication and a referral to my misp instance. On the other hand I always have "Sorry, you do not have access to this page....".
Do you know which field must contain the idp response to authorize the connection?
Sorry @elenezet - I can't quite understand what your problem is. Have you changed the config as described in the comment above?
Replace this line
by (for regexp syntax please refer to this page) :
Require claim "groups~misp*"
Edit this section (roles_property field is added according to this code) :'roles_property' => 'groups',
'role_mapper" => [
'/misp' => 3, // User
'/misp/admin' => 1, // Admin
],
Additionally, there might be logs in /var/log/httpd/error_log that may tell you more about what went wrong.
@vba-anssi's answer seems to be working for me - closing the issue as that solved my initial problem.
@jamesacris i'have all the time this error vis CAS6 oidc. I found nothng in logs. I'll try with AD authentification.
Unable to validate ID token claims
Error: An Internal Error Has Occurred. Please try your action again. If the problem persists, please contact administrator.
Stack Trace
APP/Plugin/OidcAuth/Lib/Oidc.php line 22 โ JakubOnderka\OpenIDConnectClient->authenticate()
APP/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php line 33 โ Oidc->authenticate()
APP/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php line 772 โ OidcAuthenticate->authenticate()
APP/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php line 612 โ AuthComponent->identify()
APP/Controller/UsersController.php line 1211 โ AuthComponent->login()
[internal function] โ UsersController->login()
APP/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php line 499 โ ReflectionMethod->invokeArgs()
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 193 โ Controller->invokeAction()
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 167 โ Dispatcher->_invoke()
APP/webroot/index.php line 99 โ Dispatcher->dispatch()