Integrating FusionAuth with TheHive 3.4.2 / OAuth / SSO

[shortstack]

Integrating FA with TheHive 3.4.2 / OAuth / SSO

Description

Configured TheHive to use FusionAuth for authentication--unsure if issue is on TheHive side or FusionAuth side or if they're just not compatible in current state.

Our application load balancer in AWS sits in front of TheHive and authenticates with FusionAuth, which brings me to this, like it should:

Upon clicking Sign in with SSO, it sends a POST to:
https://REDACTED/api/ssoLogin

Which sends me to:
https://REDACTED/oauth2/authorize?scope=openid&response_type=code&redirect_uri=https%3A%2F%2FREDACTED%2Findex.html&client_id=REDACTED

Then I am sent here and am staring at the login screen again:

https://REDACTED/index.html?code=SWrlJoiMDSnx7DQyqXofFZ2GMWR6iPSVJ_xo8rWi8Gw&locale=en_US&userState=Authenticated#!/login

And it just keeps coming back to the same screen.

It seems to be successful on the FA side because it should be using the same session/client ID/etc from the load balancer and I get the code above and userState=Authenticated in the URL.

I get the following in TheHive logs, nothing in FA logs

2020-05-11 14:45:39,133 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-2 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-11 14:45:39,133 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-2 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
2020-05-11 14:45:39,194 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-11 14:45:39,195 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-17 - GET /api/list/ui_settings returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

Hive configuration:

auth {
  provider = [local,oauth2]

  oauth2 {
    clientId = "REDACTED"
    clientSecret = "REDACTED"
    redirectUri = "https://REDACTED/index.html"
    responseType = "code"
    grantType = "authorization_code"
    authorizationUrl = "https://REDACTED/oauth2/authorize"
    tokenUrl = "https://REDACTED/oauth2/token"
    userUrl = "https://REDACTED/oauth2/userinfo"
    scope = "openid"
  }

   sso {
        mapper = groups
        autocreate = true
        autoupdate = true
        defaultRoles = ["read","write"]
        autologin = false
        attributes {
            login = "sub"
            name = "username"
            groups = "roles"
            #roles = "roles"
        }
        defaultRoles = ["read","write"]
        groups.mappings {
            analyst = ["read", "write"]
            admin = ["read", "write", "admin"]
        }
    }
}

If this looks to be an issue on TheHive side, I will continue troubleshooting on that end. But I'd like to narrow it down if possible.

Other articles suggested there might be an incompatibility with having a # in the redirect from TheHive (it's the default behavior on their platform).

Thank you in advance.

[mooreds]

Hmmm. I did some googling and found out you were already on this issue: TheHive-Project/TheHive#946 which appears very relevant.

It certainly does look like The Hive is not handling the deliver of the authorization code and calling into /oauth2/token to get a valid token. I have not used The Hive before, but that's my high level assessment.

One thing you could do is try turning off client authorization for the FusionAuth application. It's application.oauthConfiguration.requireClientAuthentication in the API and 'Require authentication' in the UI, and see if that helps.

[shortstack]

yep, that's turned off as well :( i should've noted that

i have a feeling it's something on the hive side, but wanted to see if there might be something else i'm missing

[robotdan]

The only thing that stands out to me - is the configuration provider = [local,oauth2]. If this is using an OAuth2 strategy and expecting a User object to come back on the /oauth2/userinfo endpoint it , the JSON response may not be what it expects.

If this is a passport.js OAuth2 strategy, you may be able to extend it to use OpenID Connect. Here is our NodeBB plugin that does something similar using Passport.js.
https://github.com/FusionAuth/nodebb-plugin-fusionauth-oidc/blob/master/src/passport-fusionauth-oidc.ts

Another option - (not knowing anything about what Hive does with the userUrl configuration. If it passes along the access token, the User API does allow for a retrieve via JWT.
https://fusionauth.io/docs/v1/tech/apis/users#retrieve-a-user See Retrieve a User using a JWT.

[shortstack]

tracking here for v4

#708

[shortstack]

closing because not an issue with FA, tracking here TheHive-Project/TheHive#1342 and #708 for v3 and v4