https://datahubproject.io logo
Join Slack
Powered by
Hi everyone, Trying to set up OIDC using the below...
# troubleshoot
h
Hi everyone, Trying to set up OIDC using the below configuration
Copy code
extraEnvs:
  - name: AUTH_OIDC_ENABLED
    value: "true"
  - name: AUTH_OIDC_CLIENT_ID
    value: MMSOauthClient
  - name: AUTH_OIDC_CLIENT_SECRET
    value: "<value>"
  - name: AUTH_OIDC_DISCOVERY_URI
    value: https://<saml-host>/.well-known/openid-configuration
  - name: AUTH_OIDC_BASE_URL
    value: https://<host>/
It is redirecting to this <https://<hostname>/#error_description=The+global+default+access+token+manager+is+not+available+for+the+selected+client+and+authentication+context&error=invalid_request|https://<hostname>/#error_description=The+global+default+[…]ication+context&error=invalid_request>
s
Hi, are you sure about the AUTH_OIDC_CLIENT_ID? The value you entered seems more a module than an ID (MMSOauthClient)
h
@stale-jewelry-2440 Yes the client _id value is correct. Getting this
Copy code
Internal server error. The OIDC service responded with an error: 'unauthorized_client'.
Error description: 'authorization_code grant not allowed for this client'
Copy code
extraEnvs:
  - name: AUTH_OIDC_ENABLED
    value: "true"
  - name: AUTH_OIDC_CLIENT_ID
    value: "<client_id>"
  - name: AUTH_OIDC_CLIENT_SECRET
    value: "<client_secret>"
  - name: AUTH_OIDC_DISCOVERY_URI
    value: "https://<saml-hostname>/.well-known/openid-configuration"
  - name: AUTH_OIDC_BASE_URL
    value: "https://<datahub_host>"
Note All the values are quoted. Hopefully no issues with that ?
s
I have a similar configuration, with all those fields set, and it works. The quotes are ok, since the call to the saml-hostname works
h
@stale-jewelry-2440 play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: Missing state parameter] at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247) at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
b
It seems that your client id has not been configured in your Identity Provider to be able to use the authorization code flow, which is what we use. You may need to configure your IdP to return an Id token and an access token! Which identity provider are you using?
h
@big-carpet-38439 - The CLient id has been configured in the Identity provider. We are using Ping Federate as the IDP...OAuth ClientID has been configured ..and it generates an access token...see below
Small update to the above messages, all the values are in quotes.
b
And you're still seeing this on DataHub side?
Copy code
Internal server error. The OIDC service responded with an error: 'unauthorized_client'.
Error description: 'authorization_code grant not allowed for this client'
h
@big-carpet-38439 From Datahub frontend pod (have Datahub deployed on EKS cluster), I am only getting - play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: Missing state parameter] at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247) at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
@big-carpet-38439 - any directions on how to debug the above, working with the OIDC team as well on this.
b
@handsome-football-66174 i cannot debug easily with this log alone. Do you mind packaging up your GMS and datahub front end logs and sending them over? I can take a deeper look if you can!
h
@big-carpet-38439 -Sure John, Let me share those. ( though they display the same information as we get from the pod logs)
@big-carpet-38439 - Please find the logs
frontend.logdebug.log
b
Thanks!
h
@big-carpet-38439 - Any idea if OIDC has been integrated with Ping by anyone else in the group? Will post a separate thread on this.
b
I have unfortunately not heard of anyone using ping:(
h
@big-carpet-38439 - Anything you could make out of the logs ? Also let me know if we could connect over a call. Will coordinate with the Ping folks.
@big-carpet-38439 - Got it working.
b
No kidding! What changed? 🙂
h
mail atttribute was missing
Also we now see this
@big-carpet-38439 - What all attributes does Ping need to send ?
b
Let me check the specific set. It seems we cannot get the user's name
Are you running on the latest version btw?
We check for
first_name, family_name, display_name, email
You may need to alter the config property
Copy code
AUTH_OIDC_USER_NAME_CLAIM
to point to the attribute you want to use as the dataHub username
typically email or parsed email
@handsome-football-66174 Let me know if you need more guidance here ^
h
@big-carpet-38439
Copy code
- name: AUTH_OIDC_USER_NAME_CLAIM
  value: "email"
- name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
  value: "([^@]+)"
Tried this and getting the below error Caused by: java.net.URISyntaxException: Illegal character in path at index 8: Saradhi, Keerthi at java.net.URI$Parser.fail(URI.java:2847) at java.net.URI$Parser.checkChars(URI.java:3020) at java.net.URI$Parser.parseHierarchical(URI.java:3104) at java.net.URI$Parser.parse(URI.java:3062) at java.net.URI.<init>(URI.java:588)
b
It looks like... you are creating the username from a field that contains a string:
Copy code
Saradhi, Keerthi
Are you sure that field contains an email?
h
@big-carpet-38439 When I configure , does it not pull the username from email ?
Copy code
- name: AUTH_OIDC_USER_NAME_CLAIM
  value: "email"
- name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
  value: "([^@]+)"
@big-carpet-38439 Can you share a sample response/list of fields that needs to be sent by Pingone.
b
I don't have that on hand.. We need these claims to be returned when we ask for the user info: 
first_name, family_name, display_name, email
It is trying to pull the user name from the email but the email seems to not be an email
it seems to be a comma-separated name
h
Hmm, let me try to add these fields . We currently have preferred_username as a field, but somehow it is not pulling the field correctly. Removed the configurations
Copy code
- name: AUTH_OIDC_USER_NAME_CLAIM
  value: "email"
- name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
  value: "([^@]+)"
b
oh perfect
this should help
h
@big-carpet-38439 - Still getting this Currently sending the following fields from Ping preferred_username, email, display_name, full_name, first_name, & family_name
Current configuration
Copy code
extraEnvs:
  - name: AUTH_JAAS_ENABLED
    value: "false"
  - name: AUTH_OIDC_ENABLED
    value: "true"
  - name: AUTH_OIDC_CLIENT_ID
    value: "MMSOauthClient"
  - name: AUTH_OIDC_CLIENT_SECRET
    value: "<value>"
  - name: AUTH_OIDC_DISCOVERY_URI
    value: "https://<samlhost>/.well-known/openid-configuration"
  - name: AUTH_OIDC_BASE_URL
    value: "https:/<datahub_hostname>
@big-carpet-38439 - Could you share what is used to populate the fields, shown in below screen shot.
the preferred_username is being displayed on the Welcome page correctly
Found this https://docs.identityserver.io/en/latest/endpoints/userinfo.html and updated. Now getting this ( roles are missing i think )
b
yeah your title is missing
there's not a standard claim for this. What you're seeing is actually a UI bug that will be fixed in the upcoming release
👍 1
We populate first name and last name if possible using the following claims :
Copy code
first_name, family_name, name
h
Thank you for information!
l
@gifted-queen-61023
2 Views
Open in Slack
PreviousNext
Powered by