OIDC Error:

Question

OIDC Error:

Closed this issue 2 years ago · 3 comments

I'm attempting to set up OIDC with misp, but I'm running into this error after authenticating with my IdP in the browser:

OAuth Error
error="invalid_client", error_description="Client's registered request object signing algorithm (null) does not match request object's actual algorithm (HS256)"

My OIDC configuration in my docker-compose.yml is as follows:

      OIDC_LOGIN: true
      OIDC_PROVIDER: https://iris-iam.stfc.ac.uk
      OIDC_CLIENT_ID: <redacted_client_id>
      OIDC_CLIENT_SECRET: <redacted_client_secret>
      OIDC_AUTHENTICATION_METHOD: client_secret_basic
      OIDC_CODE_CHALLENGE_METHOD: plain
      OIDC_CLIENT_CRYPTO_PASS: ChangeMeForProduction101

I've spoken with the admin of my IdP and have been assured that there is no use of the HS256 algorithm in the IdP, so the requirement for this must be coming from Misp - but I haven't used any settings that would require encryption, as far as I can tell. Is there an implicit requirement for encrypted cookies in Misp and if so, how can I turn that off?

It may be unrelated but in my attempt to remove settings related to encryption of cookies, I omitted the OIDC_CLIENT_CRYPTO_PASS setting, which is said to be optional in the docs on OIDC. However when I do that I get this error from the misp container logs:

ERROR: OIDC login is enabled, but 'OIDC_CLIENT_CRYPTO_PASS' environment variable is not set

I'd be grateful for any support on this!

Answer 1 · 2023-02-16T20:49:05.000Z

MISP uses the configuration which the OIDC provider provides. MISP gets this configuration by requesting it from the OIDC provider using the specified url, which seems a bit wired in your configuration, because it doesn't contain usual parameters like realm. Maybe you have some url parameters omitted in it.
Please have a look at OIDC.md and check the json output of your OIDC provider.

Answer 2 · 2023-02-28T14:45:02.000Z

I changed OIDC_PROVIDER to the well-known configuration url, i.e.

OIDC_PROVIDER: https://iris-iam.stfc.ac.uk/.well-known/openid-configuration

Which I assume will allow MISP to pick up the correct configuration from the OIDC provider. However I still get this page upon login:

Is this what you meant by some omitted parameters in the URL? I don't think realm applies here as it isn't using keycloak.

Answer 3 · 2023-04-12T14:12:07.000Z

This was an issue on my OIDC provider's end which is now resolved.