Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Oauth2 on TH4 #1284

Closed
torsolaso opened this issue Apr 13, 2020 · 6 comments
Closed

[Bug] Oauth2 on TH4 #1284

torsolaso opened this issue Apr 13, 2020 · 6 comments
Labels
bug TheHive4 TheHive4 related issues

Comments

@torsolaso
Copy link

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) 10
TheHive version / git hash 4.0-RC1

Problem Description

While testing oauth2 on TH4 i got a "notfounderror from" scalligraph endpoint. ¿is this endpoint disabled?

image

Looking for information, i found 4 new variables on the documentation versus others related issues (https://github.com/TheHive-Project/TheHiveDocs/blob/4f8095184a0a99d26279e67e5db15f0de70d8662/TheHive4/Administration/Authentication.md)

  • userIdField (string) the field that contains the id of the user in user info
  • userOrganisationField (string)
  • defaultOrganisation (string)
  • authorizationHeader (string)

are these mandatory?

Steps to Reproduce

  1. Config auth and sso on application.conf
  2. Try to log on Oauth2

issues related

#430
#946
#354
#1010

https://github.com/TheHive-Project/TheHiveDocs/blob/050399d1fadeeb070634d6c6ca35cdd96d3f2a71/admin/configuration.md
https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/configuration.md#32-oauth2openid-connect
@torsolaso torsolaso added TheHive4 TheHive4 related issues bug labels Apr 13, 2020
@torsolaso
Copy link
Author

torsolaso commented Apr 13, 2020
edited
Loading

I checked this endpoint between two TH instances (TH3.4 and TH4.0) and y got same error:

image

I found information on this line (https://github.com/TheHive-Project/ScalliGraph/blob/198bd5cb71f776f2cde96ca168b2d8ce31d1ffe7/core/src/main/scala/org/thp/scalligraph/auth/OAuth2Srv.scala#L57)

image

Two new vars are mandatory.

@torsolaso
Copy link
Author

Current configuration is below:

auth {

  provider = [local, oauth2]

  oauth2 {
    # URL of the authorization server
    clientId = "value"
    clientSecret = "value"
    redirectUri = "https://Thehive/index.html"
    responseType = "code"
    grantType = "authorization_code"

    # URL from where to get the access token
    authorizationUrl = "domain/oauth2/v2.0/authorize"
    tokenUrl = "domain/oauth2/v2.0/Token"

    # The endpoint from which to obtain user details using the OAuth token, after successful login
    userUrl = "domain/api/User"
    scope = "openid profile"
  }

  # Single-Sign On
  sso {
    # Autocreate user in database?
    autocreate = true

    # Autoupdate its profile and roles?
    autoupdate = true

    # Autologin user using SSO?
    autologin = true
    # Attributes mappings
    attributes {
      login = "sub"
      name = "name"
      groups = "groups"
      #roles = "roles"
    }

    # Name of mapping class from user resource to backend user ('simple' or 'group')
    mapper = group
    # Default roles for users with no groups mapped ("read", "write", "admin")
    defaultRoles = []

    groups {
    #  # URL to retreive groups (leave empty if you are using OIDC)
     url = "https://domain/api/Groups"
    #  # Group mappings, you can have multiple roles for each group: they are merged
      mappings {
        admin-profile-name = ["admin"]
        editor-profile-name = ["write"]
        reader-profile-name = ["read"]
      }
    }
  }

@torsolaso
Copy link
Author

i saw this #1110 and this #1228.

I think these are the same problems beacause i am able to get oatuh2 code and landing to redirect_uri, but TH dont let me login.

I will re-test this functionality when new versión will be released continuing some QA tests

@jochbru
Copy link

jochbru commented Apr 22, 2020
edited
Loading

#1110 This breaks integration with implementations.

The request redirect URI is:
https://hive.foo.com/index.html#!/login
URI's are than reconstructed to the following by Keycloak:
https://hive.foo.com/index.html?session_state=state&code=code#!/login
TheHive expects:
https://hive.foo.com/index.html#!/login?session_state=state&code=code

This order of components is non-standard:
https://tools.ietf.org/html/rfc3986#section-3

I'm uncertain how to resolve this, but to revert to version 3.4.0.

@torsolaso
Copy link
Author

Good news. Thank to @To-om. On Thehive 3.4.1 same configurations is working properly.

@1earch
Copy link

1earch commented Apr 27, 2020

Hello,

I think two problems are addressed here:

  • @torsolaso is indicating that the documentation was updated with last OIDC config parameter, but their support was only added in 3.4.1
  • @TheChef23 is noting a non standard components order in the URI

To answer @TheChef23:
I made this change in order to be able to remove the code parameter from the URI, without reloading the entire AngularJS frontend app. This is not standard, indeed. However, please note that this change was mentionned in the PR (#1112).

If @To-om wants, I can go back to standard and perform a:

$window.location.href = "index.html"

on L21 of AuthenticationCtrl.js, but this will refresh the page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug TheHive4 TheHive4 related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@1earch @jochbru @torsolaso