Integrating FusionAuth with TheHive 4.0.0-0.3RC3 / OAuth / SSO

[shortstack]

Integrating FusionAuth with TheHive 4.0.0-0.3RC3 / OAuth / SSO

Description

Steps to reproduce

Steps to reproduce the behavior:

1. Go to TheHive login screen
2. Click on 'Sign in with SSO'
3. Redirects back to login screen
4. Login doesn't happen

Expected behavior

Click button, auth with FA, log in

Screenshots

Platform

• Device: Anywhere
• OS: 2 separate Ubuntu servers running TheHive and FusionAuth
• Browser + version: Any

Additional context

If I click the login with SSO button on TheHive to auth with FusionAuth via SSO/OAuth, instead of getting a 302 to redirect me to https://thehive/api/ssoLogin, I get a 200 and I remain on the login page. Behavior explained here:

If I explicitly go to https://fusionauth/oauth2/authorize?state=319830de-b9f3-4d3b-ae6c-50798a805da0&scope=openid&redirect_uri=https://thehive/api/ssoLogin/etceteraetcetera in a new tab, I get a 302 and I am successfully taken to https://thehive/api/ssoLogin and logged in.

Once again, I'm not sure if this is an issue with FA or an issue in the process within TheHive. Their devs say they have it working in a sandbox environment but they also have them both (FA and TheHive) running locally on the same system

[shortstack]

Scenario 1: Clicking the button

2020-06-29 02:56:02,934 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-12 - Found SSO request
2020-06-29 02:56:02,934 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-12 - Code or state is not provided, redirect to authorizationUrl
2020-06-29 02:56:02,935 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-12 - Redirecting to https://thehive/api/ssoLogin with Map(state -> List(2bbdef8d-62ad-4cca-af81-5cc5b3378d12), scope -> List(openid), redirect_uri -> List(https://thehive/api/ssoLogin), client_id -> List(35fe760d-6a7a-4267-b1d0-5c28575b98b2), response_type -> List(code)) and state 2bbdef8d-62ad-4cca-af81-5cc5b3378d12
2020-06-29 02:56:02,935 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.30.0.218 POST /api/ssoLogin took 3ms and returned 302 0 bytes
2020-06-29 02:56:03,128 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-14 - 10.30.0.218 GET /index.html took 1ms and returned 200 1191 bytes

Scenario 2: Opening /oauth2/authorize in new tab

2020-06-29 02:58:25,478 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-11 - Found SSO request
2020-06-29 02:58:25,479 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-11 - Attempting to retrieve OAuth2 token from https://fusionauth/oauth2/token with code List(rmK7N50JvAx90wDl2GHQuCbMmDTOOos46ZYpgT2AqPk)
2020-06-29 02:58:25,591 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-11 - Got user info: {"applicationId":"35fe760d-6a7a-4267-b1d0-5c28575b98b2","email":"[email protected]","email_verified":true,"family_name":"Champion","given_name":"Whitney","preferred_username":"[email protected]","roles":["Admin","Cognito"],"sub":"8893cdd0-68f1-40de-b870-f1c8c40d1cb3"}

[shortstack]

TheHive config:

auth {
  providers: [
    {name: session},
    {name: basic, realm: thehive},
    {name: local},
    {name: key},
    {name: oauth2,
        clientId: "REDACTED",
        clientSecret: "REDACTED",
        redirectUri: "https://thehive/api/ssoLogin",
        responseType: "code",
        grantType: "authorization_code",
        authorizationUrl: "https://fusionauth/oauth2/authorize",
        tokenUrl: "https://fusionauth/oauth2/token",
        userUrl: "https://fusionauth/oauth2/userinfo",
        scope: ["openid"],
        userIdField: "email",
        authorizationHeader: "Bearer"
    }
  ]
# The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
# domain is automatically appended
  defaultUserDomain: ""
}

Additionally, we have FusionAuth integrated as SSO for other platforms with the same FA application/client ID/secret (ex: RocketChat) and it works fine.

[mooreds]

@shortstack , can you please share your FusionAuth application config (redacted as needed)? Also, which version of FusionAuth are you running?

[shortstack]

@mooreds which part of the app configuration would be most helpful?

upgraded to 1.17.4 this morning, but same everything

[mooreds]

I'm unsure exactly which part would be helpful, to be honest. Do you mind providing the entire config as json?

[shortstack]

{
    "application": {
        "active": true,
        "authenticationTokenConfiguration": {
            "enabled": true
        },
        "id": "35fe760d-6a7a-4267-b1d0-5c28575b98b2",
        "jwtConfiguration": {
            "accessTokenKeyId": "REDACTED",
            "enabled": false,
            "idTokenKeyId": "REDACTED",
            "refreshTokenTimeToLiveInMinutes": 43200,
            "timeToLiveInSeconds": 3600
        },
        "lambdaConfiguration": {
            "samlv2PopulateId": "REDACTED"
        },
        "loginConfiguration": {
            "allowTokenRefresh": false,
            "generateRefreshTokens": false,
            "requireAuthentication": true
        },
        "name": "Cognito",
        "oauthConfiguration": {
            "authorizedRedirectURLs": [
                "https://thehive",
                "https://thehive/api/ssoLogin"
            ],
            "clientId": "REDACTED",
            "clientSecret": "REDACTED",
            "enabledGrants": [
                "authorization_code",
                "refresh_token",
                "password",
                "implicit"
            ],
            "generateRefreshTokens": true,
            "logoutBehavior": "AllApplications",
            "requireClientAuthentication": false
        },
        "passwordlessConfiguration": {
            "enabled": true
        },
        "registrationConfiguration": {
            "birthDate": {
                "enabled": false,
                "required": false
            },
            "confirmPassword": true,
            "enabled": false,
            "firstName": {
                "enabled": false,
                "required": false
            },
            "fullName": {
                "enabled": false,
                "required": false
            },
            "lastName": {
                "enabled": false,
                "required": false
            },
            "loginIdType": "email",
            "middleName": {
                "enabled": false,
                "required": false
            },
            "mobilePhone": {
                "enabled": false,
                "required": false
            }
        },
        "registrationDeletePolicy": {
            "unverified": {
                "enabled": false,
                "numberOfDaysToRetain": 30
            }
        },
        "roles": [
            {
                "id": "883cdc4b-647a-4c58-82bb-d4509572d3fa",
                "isDefault": false,
                "isSuperRole": true,
                "name": "Admin"
            },
            {
                "id": "def07a8e-515b-435e-a582-43f0fc711e21",
                "isDefault": true,
                "isSuperRole": false,
                "name": "Cognito"
            }
        ],
        "samlv2Configuration": {
            "audience": "REDACTED",
            "callbackURL": "https://REDACTED/saml2/idpresponse",
            "debug": true,
            "enabled": true,
            "issuer": "REDACTED",
            "keyId": "a0b50d91-b985-435a-9dc8-1df0db34322c",
            "xmlSignatureC14nMethod": "exclusive_with_comments"
        },
        "tenantId": "REDACTED",
        "verifyRegistration": false
    }
}

[mooreds]

I confess, I'm at a loss. Short of downloading and installing The Hive and playing around with the SSO integration, I'm not sure what the next steps would be. I'll watch TheHive-Project/TheHive#1342 as I see there's some activity over there as well.

[shortstack]

the fusionauth docs say that when it returns a 200, that it's returning the auth form "the response will contain an html form to collect login credentials"

but i don't understand why it's pulling back the 200 from the SSO button vs a 302

[robotdan]

To confirm, this is what you're seeing:

1. Click "Sign in with SSO" on the Hive login page (302 to FusionAuth)
2. You are redirected to FusionAuth where you see a login page (200, HTML renders)
3. You enter credentials, submit the form to login to FusionAuth

After this (if correct) what happens?

From your debug output:

2020-06-29 02:56:02,934 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-12 - Code or state is not provided, redirect to authorizationUrl
2020-06-29 02:56:02,935 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-12 - Redirecting to https://thehive/api/ssoLogin with Map(state -> List(2bbdef8d-62ad-4cca-af81-5cc5b3378d12), scope -> List(openid), redirect_uri -> List(https://thehive/api/ssoLogin), client_id -> List(35fe760d-6a7a-4267-b1d0-5c28575b98b2), response_type -> List(code)) and state 2bbdef8d-62ad-4cca-af81-5cc5b3378d12

It seems to indicate that it is redirecting to itself instead of FusionAuth when you click the button. Redirecting to https://thehive/api/ssoLogin

[shortstack]

scenario 1: button

1. Click "Sign in with SSO" on the Hive login page
2. I go nowhere (200 response from FA seen in network requests instead of expected 302 to point back to TheHive ssoLogin endpoint)

scenario 2: open the /oauth2/authorize endpoint (the same link that thehive is supposed to direct to via that button) in a new tab

1. Paste https://fusionauth/oauth2/authorize?state=319830de-b9f3-4d3b-ae6c-50798a805da0&scope=openid&redirect_uri=https://thehive/api/ssoLogin/etceteraetcetera in a new tab
2. Hit enter
3. I am taken to FusionAuth and successfully authed and sent back to TheHive (302 response from FA seen in network requests to redirect back to TheHive)

[shortstack]

@robotdan i have a screen recording if i can share this somehow--best method for private link for you?

[robotdan]

Sent you an email that you can respond to with a link. Thanks.

[voidmain]

A HAR file might be really helpful for this as well since it seems to be all happening in the browser.

[robotdan]

I've recreated most I believe (some of my notes are over here : TheHive-Project/TheHive#1342 ).

I get an OPTIONS request from TheHive for the Authorize request, it passes, and I see the OPTIONS request in the browser debugger. The next request is the GET request but it shows as not having a response body.

I never see a request to the Token endpoint, I think I'd have to dig through code over in the TheHive GitHub project to see what they are trying to do in the callback to get much further.

[shortstack]

yep, i get a 204 followed by the 200, instead of a 302 back to thehive/api/ssoLogin

[shortstack]

i will get an HAR file soon

[shortstack]

HAR file emailed to @robotdan

[shortstack]

this is disheartening :(

so now what

[shortstack]

i added the CORS everywhere plugin in firefox and that did nothing. additonally, i don't see any CORS errors/messages in the developer tools console.

[shortstack]

[robotdan]

Re: #708 (comment)

Is that a response from TheHive team, or from yours? It seems to indicate there is possibly an CORS issue in TheHive?

[shortstack]

this morning has been a rollercoaster of emotions.

working with one of their devs this morning. they said it was a known CORS issue (screenshot above) and that they fixed it in RC2 (i wish this had been mentioned days ago).

i rolled back to RC2, and ran into another issue where it was not redirecting as expected (team says that /api/ssoLogin is supposed to redirect to the frontend and it was not).

i was working off a hive config they provided, which turned out to be incorrect. i made a change to the config to use the correct frontend/index.html redirectUri... and it is now working.

[robotdan]

That is great! Can you share your configuration and version of Hive? (assuming RC2?)

[shortstack]

one caveat, while auto user creation worked in RC3, it doesn't work in RC2 :( which means we'll have to programmatically create the users in thehive and assign them to the correct org when we create them in fusionauth. but better than it was yesterday. thanks so much for your help and extra sets of eyeballs.

auth {
  providers: [
    {name: session},
    {name: basic, realm: thehive},
    {name: local},
    {name: key},
    {name: oauth2,
        clientId: "REDACTED",
        clientSecret: "REDACTED",
        redirectUri: "https://thehive/index.html",
        responseType: "code",
        grantType: "authorization_code",
        authorizationUrl: "https://fusionauth/oauth2/authorize",
        tokenUrl: "https://fusionauth/oauth2/token",
        userUrl: "https://fusionauth/oauth2/userinfo",
        scope: ["openid"],
        userIdField: "email",
        #defaultOrganisation: "REDACTED",
        authorizationHeader: "Bearer"
    }
  ]
# The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
# domain is automatically appended
  defaultUserDomain: "REDACTED"
}