Im building a webMVC app with Azure as Identity Provider and Im getting the following error:
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: I/O error on GET request for "https://graph.microsoft.com/oidc/userinfo": graph.microsoft.com
[nio-8080-exec-3] o.s.web.client.RestTemplate : HTTP GET https://graph.microsoft.com/oidc/userinfo
[nio-8080-exec-3] o.s.web.client.RestTemplate : Accept=[application/json, application/*+json]
[nio-8080-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
[nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy : Redirecting to /login?error
Am I missing something?
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/XXXX/v2.0
spring.security.oauth2.client.registration.myapp.client-name=XXXX
spring.security.oauth2.client.registration.myapp.client-id=XXXX
spring.security.oauth2.client.registration.myapp.client-secret=XXXX
spring.security.oauth2.client.registration.myapp.provider=azure
spring.security.oauth2.client.registration.myapp.redirect-uri=http://localhost:8080/login/oauth2/code/
spring.security.oauth2.client.registration.myapp.scope=openid, profile, User.Read
spring.security.oauth2.client.registration.myapp.authorization-grant-type=authorization_code
I tried to reproduce the same in my environment via Postman and got below results:
I created one Azure AD application and granted permissions like below:
To get code, I used below authorization request:
https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize?
client_id=client_id
&response_type=code
&redirect_uri=redirect_uri
&response_mode=query
&scope=openid profile user.read
&state=12345
When I ran the above request in browser, I got consent screen like below:
After accepting the above consent, I got the code in address bar like below:
To generate access token, I used below parameters and got token like this:
POST https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:client_id
client_secret:client_secret
scope:openid profile user.read
code:code
redirect_uri: redirect_uri
When I used the above token to get user info data, I got the response successfully like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
In your scenario, make sure to include below parameters in your code like below:
spring.security.oauth2.client.registration.azure.client-id: xxx
spring.security.oauth2.client.registration.azure.client-secret: xxx
spring.security.oauth2.client.registration.azure.client-name: App Name
spring.security.oauth2.client.registration.azure.client-authentication-method: basic
spring.security.oauth2.client.registration.azure.provider: azure
spring.security.oauth2.client.registration.azure.scope: openid profile user.read
spring.security.oauth2.client.registration.azure.redirect-uri: http://localhost:8080/login/oauth2/code/azure
spring.security.oauth2.client.registration.azure.authorization-grant-type: authorization_code
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/<tenant id>/v2.0
spring.security.oauth2.client.provider.azure.authorization-uri: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize
spring.security.oauth2.client.provider.azure.user-info-uri: https://graph.microsoft.com/oidc/userinfo
spring.security.oauth2.client.provider.azure.token-uri: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
spring.security.oauth2.client.provider.azure.jwk-set-uri: https://login.microsoftonline.com/<tenant id>/v2.0/keys
spring.security.oauth2.client.provider.azure.user-name-attribute: name
To know more in detail, please refer below link:
Spring security using OAuth2 with Microsoft - AzureAD
for some reason the proxy server configured on my machine was not able to solve the dns graph.microsoft.com and I was getting the message "invalid_user_info_response". In order to fix it you need to make sure that your machine is able to reach graph.microsoft.com
Related
I have two web applications configured as SAML Service Providers, using version 1.0.10 of the Spring Security SAML extension. The identity provider is Azure AD.
Single sign-on across both applications works fine. The problem is with single logout (SLO). If I'm logged into both apps in two different browser tabs, and then initiate a logout from one app, that app is logged out as expected, but the logout of the other app fails.
With debug logging enabled, this is the output I get for the second app:
DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /saml/SingleLogout?SAMLRequest=lZJfb5swFMW%2fCuLdYGPzxxZBypYtQ20aqVlbaS%2bRgUuKBjbFJs3HLwT1IdJUaW%2f2lY9%2b51yf1Miu7cW9PunRPsLbCMY6%2bWblHmscFoREGHHGJGJJTBHnCUYhl1SWUU1rWrrOMwym0WrlBh52ndyYEXJlrFR2GuEgQAQjQn8TKjATAfcinvxxnc1EaZS0V%2bWrtb0Rvt%2fKcYDW6wcwMJybUnql9sa%2f%2ftN03UklT9CBsv5s2D806tTC4tp1HrTdq%2f2wri0Mt1h2g710rTLimnjljoMSWprGCCU7MMKW4rDe3YspiOgHbXWpWzdLr5GGRfq1SJrJ6BzJzT4jGWu890ZV%2bt14CqwfSYkZqUrEo4IiFsoKceAFimKQAS4JgwT81F%2bYWfowMfKN81MPnbRfw%2bdJU6H6%2blT0868YO63L%2fU%2fnYfwcbrvzcWe%2f3R2L%2fO7Hmv%2b6BPtX%2fXLenrakfvveRo8o3B4anfqLvyxdOnQAM1chVxVcsiMNaREDo6jmkiBWQ4SSuJYowFUZTgcSYJz6%2f1B%2bDm8qmX0A&Signature=H2iMTbizxEM8ooIUfV%2fyZ8zZfkK8J9CXbVako2sPk9EUw1xjRUXfaCUbO3gpsjKvUD61UHEbpOexnMhCtqCJnItC81hIVp9dI2%2bSGqJ3%2fIYFtxDMqVAsP%2fxsEZpL%2f15OkZ0rj0n1nAiU7dT3xC0K5TDtjUWciKqbt0MkJgvKyvkZyjZGjhclfTGo4AJQrEkBVxkw8%2b2Evwgmxpk0taOfhq9sHaiRLzvVAxhCse9GZhbQehxyxtWWNDYt8Ks7JJJR5UDfdszX4E5J2576seSxvop3EeJLlULjjNm3FJZcXoKKAXzA%2bfHqYBYFD9rIyuEXaJsFEC0p8SSAHwKgDOq3PA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - Set SecurityContextHolder to empty SecurityContext
DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /saml/SingleLogout?SAMLRequest=lZJfb5swFMW%2fCuLdYGPzxxZBypYtQ20aqVlbaS%2bRgUuKBjbFJs3HLwT1IdJUaW%2f2lY9%2b51yf1Miu7cW9PunRPsLbCMY6%2bWblHmscFoREGHHGJGJJTBHnCUYhl1SWUU1rWrrOMwym0WrlBh52ndyYEXJlrFR2GuEgQAQjQn8TKjATAfcinvxxnc1EaZS0V%2bWrtb0Rvt%2fKcYDW6wcwMJybUnql9sa%2f%2ftN03UklT9CBsv5s2D806tTC4tp1HrTdq%2f2wri0Mt1h2g710rTLimnjljoMSWprGCCU7MMKW4rDe3YspiOgHbXWpWzdLr5GGRfq1SJrJ6BzJzT4jGWu890ZV%2bt14CqwfSYkZqUrEo4IiFsoKceAFimKQAS4JgwT81F%2bYWfowMfKN81MPnbRfw%2bdJU6H6%2blT0868YO63L%2fU%2fnYfwcbrvzcWe%2f3R2L%2fO7Hmv%2b6BPtX%2fXLenrakfvveRo8o3B4anfqLvyxdOnQAM1chVxVcsiMNaREDo6jmkiBWQ4SSuJYowFUZTgcSYJz6%2f1B%2bDm8qmX0A&Signature=H2iMTbizxEM8ooIUfV%2fyZ8zZfkK8J9CXbVako2sPk9EUw1xjRUXfaCUbO3gpsjKvUD61UHEbpOexnMhCtqCJnItC81hIVp9dI2%2bSGqJ3%2fIYFtxDMqVAsP%2fxsEZpL%2f15OkZ0rj0n1nAiU7dT3xC0K5TDtjUWciKqbt0MkJgvKyvkZyjZGjhclfTGo4AJQrEkBVxkw8%2b2Evwgmxpk0taOfhq9sHaiRLzvVAxhCse9GZhbQehxyxtWWNDYt8Ks7JJJR5UDfdszX4E5J2576seSxvop3EeJLlULjjNm3FJZcXoKKAXzA%2bfHqYBYFD9rIyuEXaJsFEC0p8SSAHwKgDOq3PA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
DEBUG [org.springframework.security.saml.SAMLLogoutProcessingFilter] - Delegating logout processing to super class...
DEBUG [org.springframework.security.saml.SAMLLogoutProcessingFilter] - Processing SAML logout message
DEBUG [org.springframework.security.saml.processor.SAMLProcessorImpl] - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule] - Validation of request simple signature succeeded
INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule] - Authentication via request simple signature succeeded for context issuer entity ID https://sts.windows.net/00000000-0000-0000-0000-00000000/
INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule] - SAML protocol message was not signed, skipping XML signature processing
DEBUG [org.springframework.security.saml.util.SAMLUtil] - Found endpoint org.opensaml.saml2.metadata.impl.SingleLogoutServiceImpl#76b927ad for request URL https://server.com:443/app2/saml/SingleLogout?SAMLRequest=lZJfb5swFMW%2fCuLdYGPzxxZBypYtQ20aqVlbaS%2bRgUuKBjbFJs3HLwT1IdJUaW%2f2lY9%2b51yf1Miu7cW9PunRPsLbCMY6%2bWblHmscFoREGHHGJGJJTBHnCUYhl1SWUU1rWrrOMwym0WrlBh52ndyYEXJlrFR2GuEgQAQjQn8TKjATAfcinvxxnc1EaZS0V%2bWrtb0Rvt%2fKcYDW6wcwMJybUnql9sa%2f%2ftN03UklT9CBsv5s2D806tTC4tp1HrTdq%2f2wri0Mt1h2g710rTLimnjljoMSWprGCCU7MMKW4rDe3YspiOgHbXWpWzdLr5GGRfq1SJrJ6BzJzT4jGWu890ZV%2bt14CqwfSYkZqUrEo4IiFsoKceAFimKQAS4JgwT81F%2bYWfowMfKN81MPnbRfw%2bdJU6H6%2blT0868YO63L%2fU%2fnYfwcbrvzcWe%2f3R2L%2fO7Hmv%2b6BPtX%2fXLenrakfvveRo8o3B4anfqLvyxdOnQAM1chVxVcsiMNaREDo6jmkiBWQ4SSuJYowFUZTgcSYJz6%2f1B%2bDm8qmX0A&Signature=H2iMTbizxEM8ooIUfV%2fyZ8zZfkK8J9CXbVako2sPk9EUw1xjRUXfaCUbO3gpsjKvUD61UHEbpOexnMhCtqCJnItC81hIVp9dI2%2bSGqJ3%2fIYFtxDMqVAsP%2fxsEZpL%2f15OkZ0rj0n1nAiU7dT3xC0K5TDtjUWciKqbt0MkJgvKyvkZyjZGjhclfTGo4AJQrEkBVxkw8%2b2Evwgmxpk0taOfhq9sHaiRLzvVAxhCse9GZhbQehxyxtWWNDYt8Ks7JJJR5UDfdszX4E5J2576seSxvop3EeJLlULjjNm3FJZcXoKKAXzA%2bfHqYBYFD9rIyuEXaJsFEC0p8SSAHwKgDOq3PA%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256 based on location attribute in metadata
DEBUG [org.springframework.security.saml.SAMLLogoutProcessingFilter] - Received logout request is invalid, responding with error
org.springframework.security.saml.SAMLStatusException: No user is logged in
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.processLogoutRequest(SingleLogoutProfileImpl.java:175) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:181) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at com.tessella.sdb.core.security.authentication.saml.SamlCustomLogoutProcessingFilter.processLogout(SamlCustomLogoutProcessingFilter.java:52) [WebAppSecurity-6.6.0-bugfix_SUPPORT-1608-SNAPSHOT.jar:?]
at org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:107) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
...
In Azure AD, the Front-channel logout URL for app2 is set as https://server.com/app2/saml/SingleLogout, so it looks like the endpoint is called & the HTTP-Redirect binding is used.
However, in SAMLLogoutProcessingFilter, for the line:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
auth is returned as null, i.e. there's no existing user session and so the logout fails. I've seen reports of this happening elsewhere with WSO2 as the SAML IdP, when the HTTP POST binding is used, but with Azure AD, my understanding is that this should be a front-channel request using the HTTP-Redirect binding.
Has anyone got Single Logout to work successfully using Azure AD as the IdP with the Spring SAML extension? Are there any configuration changes required either in the SP or IdP?
Any advice on what I need to do would be gratefully received. Thank you.
OK, so I found the answer. We're using the Apache web server as a reverse proxy in front of the apps, and this was setting same-site on the session cookie to Lax. Since the Logout request was coming from the SAML IdP, the session cookie was being removed. If same-site is set to None instead, the session cookie is attached, and the call to:
SecurityContextHolder.getContext().getAuthentication()
returns the valid authentication credentials.
I follow this guide to setup Security with Azure AD - https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
After login to Microsoft account system redirects me to url like this https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=25802571-a250-4e99-ba72-87c6eee9f1db&scope=openid%20https://graph.microsoft.com/user.read&state=0HA8WfPariUK8QXcwMlOseVIPNVm0f4XSa_T7JZZvyE%3D&redirect_uri=http://localhost:8079/login/oauth2/code/azure&nonce=eREVP5yO5L3WvOXH6HJfb_LAT8Gk7iu6jrdu259RePM but this url doesn't redirects me to my server
UPDATE 1: I turn on debug logs and on redirect I can see below logs in console
2020-10-08 22:39:59.700 DEBUG 756 --- [onPool-worker-9] c.m.a.m.ConfidentialClientApplication : [Correlation ID: 7e63aac3-6ace-46e6-ab45-9c86aadfeed6] Access Token was returned
2020-10-08 22:40:01.542 DEBUG 756 --- [onPool-worker-9] c.m.a.m.ConfidentialClientApplication : [Correlation ID: 712291cd-969f-4158-b26e-4b00aadfeed6] Access Token was returned
2020-10-08 22:40:02.762 DEBUG 756 --- [onPool-worker-9] c.m.a.m.ConfidentialClientApplication : [Correlation ID: fafb0b37-254c-4e8d-bf15-ec5faadfeed6] Access Token was returned
I try the spring boot sample, and it works well. It redirects to http://localhost:8080/ after login with the test user.
You need to set the redirect URL as http://localhost:8080/login/oauth2/code/azure in the portal. Make sure the permissions are also configured and granted admin consent.
If you want to change the redirect URL, you need to add spring.security.oauth2.client.registration.azure.redirect-uri-template in the application.properties and set the redirect URL in the portal.
I'm using Spring Security to setup oauth2 authentication within my Spring Boot web app that runs behind a reverse proxy.
Flow:
1) Navigate to my Spring app's login page
2) Redirection to oauth provider. Logging in.
3) Redirection back to my redirect-uri endpoint
4) Flow breaks and default Spring login page prints:
Your login attempt was not successful, try again.
Reason: [invalid_redirect_uri_parameter]
I turned on debugging, the console shows:
2019-01-30 09:46:40.094 DEBUG 1 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
2019-01-30 09:46:40.094 DEBUG 1 --- [nio-8080-exec-2] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider
2019-01-30 09:46:40.095 DEBUG 1 --- [nio-8080-exec-2] .s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_redirect_uri_parameter]
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_redirect_uri_parameter]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:136) ~[spring-security-oauth2-client-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Digging into OidcAuthorizationCodeAuthenticationProvider.java's code shows that the following statement triggers the error: (authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri()))
I checked the browser requests. The redirect uri parameter of my initial request is equal to the site I'm redirected after being authenticated at the provider's site. (Otherwise the provider would have thrown an redirect uri mismatch error).
According to another user's experience (http://blog.davidvassallo.me/2018/08/10/lessons-learnt-of-spring-boot-oauth2-redirect-uris/) Spring Boot sees 'localhost' when running behind a reverse proxy and therefore the redirect-uri aren't equal anymore (when localhost is not the correct hostname).
How can I get the value of authorizationResponse.getRedirectUri() and authorizationRequest.getRedirectUri()? I want to see which redirect uri Spring Security sees. The debug console doesn't print these values.
I created an endpoint that prints out request.getRequestURL().toString() and indeed it prints the original url and not the reverse proxy url. That might be the problem.
I am trying to integrate a Shibboleth IDPV3.4.1 with my SP which is a server called as ClearPass. I am using the Linux platform of the Shibboleth IDP. I configured the relyingparty.xml, attribute-filter.xml, attribute-resolver.xml,ldap.properties, and also the and uploaded the metadata to the /metadata/sp-metadata.xml also updating the metadata-providers.
I am trying to use the password authentication flow with LDAP, however the issue is that I never get the login page when I initiate the SAML transaction from my SP. I get an error saying "Web Login Service -Stale Request". I have attached the screenshot of the error
Stale Request
I attempt to do a resolver test using the
http://shib.nslab.com:8080/idp/profile/admin/resolvertest?requester=https://chandracppm.nslab.com/networkservices/saml2/sp&principal=chandu
requester "https://chandracppm.nslab.com/networkservices/saml2/sp"
principal "chandu"
attributes
0
name "sAMAccountName"
values
0 "chandu"
and I get the attributes from AD in return, which shows the connection to AD is working.
However the authentication page does not appear from the IDP when I try to access the resource in my SP, I only get the Stale request Error.
The error that I see in the logs/idp-process.log is as follows
2018-12-10 19:26:08,222 - 10.23.20.81 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Shibboleth Authentication Request message did not contain the providerId query parameter.
at net.shibboleth.idp.saml.profile.impl.BaseIdPInitiatedSSORequestMessageDecoder.getEntityId(BaseIdPInitiatedSSORequestMessageDecoder.java:128)
2018-12-10 19:26:08,223 - 10.23.20.81 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode
2018-12-10 19:26:08,224 - 10.23.20.81 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:143] - No SAMLBindingContext or binding URI available, error must be handled locally
I am new to setting up Shibboleth IDP, not sure what I am missing.
Any inputs would be appreciated
Shibboleth fails to decode the message. This behavior is to be seen if the AuthnReq is being sent to POST endpoint instead of Redirect or vice versa or if any of both endpoints are not configured properly. On UI, the error you will notice for this is "StaleRequest". I got a similar error in idp-process.log file "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method". The issue is pertaining to incorrect or misconfigured endpoints.
I was able to get this working by installing an IDP docker image from here
https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit
The authentication flow is working now
I have an access token with the necessary scope. I also successful access the resource server. The error occur when the resource server try to fetch the user Principal from the Authorization server. I really hope i can get some hints or help about how i can solve this
The access Token:
{"access_token":"65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9","token_type":"bearer","refresh_token":"f1e2a49d-5b24-4e9c-b9da-567eb47d6ab7","expires_in":149,"scope":"read write trust"}
The resource server call:
curl -H "Authorization:Bearer 65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9" http://localhost:9001/resource/hello
Resource server output after the call:
2016-10-10 10:10:06.144 INFO 411 --- [nio-9001-exec-5] o.s.b.a.s.o.r.UserInfoTokenServices : Getting user info from: http://localhost:9000/auth/user
The endpoint (localhost:9000/auth/user) get executed but i always get the following response to my curl request:
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"read"}
I resolved this by removing the user info uri from the resource server properties. Since I use a jdbc token store, the resource server can verify the authenticity of the token from the database and not relying on the auth server anymore.