openanalytics/shinyproxy-operator

Azure AD Open ID setup issue - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException

Closed this issue · 3 comments

I am trying setup Azure AD authentication with Shinyproxy deployed through Shiny Operator.

I used below config
openid:
auth-url: https://login.microsoftonline.com/tenant-id/oauth2/authorize
token-url: https://login.microsoftonline.com/tenant-id/oauth2/token
jwks-url: https://login.microsoftonline.com/common/discovery/keys
client-id: ***
client-secret: ***

Below is the error i get in the logs

e.o.containerproxy.service.UserService : Authentication failure [user: ] [error: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken]
2021-06-03 08:38:56.426 ERROR 1 --- [ XNIO-1 task-2] e.o.c.a.i.OpenIDAuthenticationBackend : org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://login.microsoftonline.com/tenant-id/oauth2/token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://login.microsoftonline.com/tenant-id/oauth2/token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:142) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]

Any advise on what i am missing ?

The issue was with my proxy but after resolving that i am getting below error. Does the shinyproxy support Azure AD (B2B
) openId authentication. The documentation talks about Azure AD B2C only.

Authentication failure [user: ] [error: No AuthenticationProvider found for org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken]
2021-06-03 09:51:33.765 ERROR 1 --- [ XNIO-1 task-2] e.o.c.a.i.OpenIDAuthenticationBackend : org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_id_token] An error occurred while attempting to decode the Jwt: Jwt used before 2021-06-03T16:19:42Z

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_id_token] An error occurred while attempting to decode the Jwt: Jwt used before 2021-06-03T16:19:42Z
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.createOidcToken(OidcAuthorizationCodeAuthenticationProvider.java:226) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:155) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.4.RELEASE.jar!/:5.3.4.RELEASE]

The error was occurring as my local K8s cluster clock skew had a great variation due with JWT token decode was failing . Got the detail from this page https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory-b2c-oidc#build-and-test-your-app

Deployed to my cloud K8s cluster and authentication works like charm.

@anoop7181 Could you let me know how you resolved this issue?