Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Can't auth with SSO/OAuth with FusionAuth #1342

Closed
shortstack opened this issue May 18, 2020 · 13 comments
Closed

[Bug] Can't auth with SSO/OAuth with FusionAuth #1342

shortstack opened this issue May 18, 2020 · 13 comments
Labels
bug TheHive3
Milestone
3.5.0-RC1

Comments

@shortstack
Copy link

Can't auth with SSO/OAuth with FusionAuth

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu 16
OS version (client) Ubuntu 16
TheHive version 3.2.4-1
Package Type DEB
Browser type & version Chrome/FF
FusionAuth Version 1.15.8

Problem Description

Authing with OIDC via FusionAuth sends me to the following, provides the code, says authenticated
https://hive_url/index.html?code=$thecode&locale=en_US&userState=Authenticated#!/login

But i'm always sent back to the Hive login screen, where I auth with my identity provider credentials (click the login with SSO button), and I get:

2020-05-05 03:06:44,062 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - key AuthenticationError SSO authentication is not supported
2020-05-05 03:06:44,062 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - local AuthenticationError SSO authentication is not supported
2020-05-05 03:06:44,063 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - oauth2 OAuth2Redirect https://$oauth_endpoint/oauth2/authorize
2020-05-05 03:06:44,335 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-18 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-05 03:06:44,336 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-18 - GET /api/list/ui_settings returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
2020-05-05 03:06:44,336 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-4 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-05 03:06:44,337 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-4 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

If I enable autologin in the config, I get sent into an infinite loop of authing and sending me to the login page.

I've tried redirect URIs for index.html, with and without the #!/login.

Config:

auth {

  provider = [local,oauth2]

  oauth2 {
    clientId = "REDACTED"
    clientSecret = "REDACTED"
    redirectUri = "https://$hive_url/index.html"
    responseType = "code"
    grantType = "authorization_code"
    authorizationUrl = "https://$oauth_endpoint/oauth2/authorize"
    tokenUrl = "https://$oauth_endpoint/oauth2/token"
    userUrl = "https://$oauth_endpoint/oauth2/userinfo"
    scope = "openid"
  }

   sso {
        mapper = groups
        autocreate = true
        autoupdate = true
        defaultRoles = ["read","write"]
        autologin = true
        attributes {
            login = "username"
            name = "username"
            groups = "groups"
            #roles = "roles"
        }
        defaultRoles = ["read","write"]
        groups.mappings {
            analyst = ["read", "write"]
            admin = ["read", "write", "admin"]
        }
    }
}

Steps to Reproduce

  1. Configure SSO/OAuth in application.conf
  2. Log in with IDP / click login with SSO
  3. Get code successfully from FusionAuth and userState=Authenticated in URL
  4. User session not found in Hive logs and unable to log in

Complementary information

FusionAuth/fusionauth-issues#620

#946
@shortstack shortstack added the bug label May 18, 2020
@nadouani
Copy link
Contributor

Hello @shortstack I've checked that fusionauth works fine with TheHive 4.

I still need to check that with TheHive 3 (it's not the exact same configuration since oauth2 implementation has been rewritten in TheHive 4)

I'll let you know

@shortstack
Copy link
Author

@nadouani working on this now, but it seems that the user has to already exist in the hive? vs fusionauth adding the user upon successful auth? could you possibly send your working auth configuration for hive 4? thank you!

@shortstack
Copy link
Author

current configuration with fusionauth is throwing 401 unauthorized:

    {name: oauth2,
        clientId: "REDACTED",
        clientSecret: "REDACTED",
        redirectUri: "https://REDACTED/index.html#login",
        responseType: "code",
        grantType: "authorization_code",
        authorizationUrl: "https://REDACTED/oauth2/authorize",
        tokenUrl: "https://REDACTED/oauth2/token",
        userUrl: "https://REDACTED/oauth2/userinfo",
        scope: ["openid"],
        userIdField: "email",
        defaultOrganisation: "REDACTED",
        authorizationHeader: "bearer"
    }

2020-05-28 19:34:58,298 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-14 - 10.30.0.222 GET /index.html took 3ms and returned 200 1191 bytes
2020-05-28 19:34:58,440 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.30.0.222 GET /styles/vendor.7dd02a27.css took 3ms and returned 200 279814 bytes
2020-05-28 19:34:58,442 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /styles/app.305da315.css took 1ms and returned 200 122092 bytes
2020-05-28 19:34:58,446 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /scripts/scripts.b3a0b16f.js took 1ms and returned 200 605721 bytes
2020-05-28 19:34:58,446 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-13 - 10.30.0.222 GET /scripts/vendor.29b36f82.js took 1ms and returned 200 2036467 bytes
2020-05-28 19:34:58,624 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /fonts/SourceSansPro-Regular.otf took 2ms and returned 200 229588 bytes
2020-05-28 19:34:59,203 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 - 10.30.0.222 GET /api/status took 3ms and returned 200 402 bytes
2020-05-28 19:34:59,308 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /fonts/glyphicons-halflings-regular.woff2 took 2ms and returned 200 18028 bytes
2020-05-28 19:34:59,317 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /images/logo.svg took 1ms and returned 200 2024 bytes
2020-05-28 19:34:59,340 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /fonts/SourceSansPro-Light.otf took 3ms and returned 200 226032 bytes
2020-05-28 19:35:08,312 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Found SSO request
2020-05-28 19:35:08,312 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Code or state is not provided, redirect to authorizationUrl
2020-05-28 19:35:08,313 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Redirecting to https://REDACTED/index.html with Map(state -> List(ade255d8-a5f1-4c6f-a453-64a8102a8cd0), scope -> List(openid), redirect_uri -> List(https://REDACTED/index.html), client_id -> List(REDACTED), response_type -> List(code)) and state ade255d8-a5f1-4c6f-a453-64a8102a8cd0
2020-05-28 19:35:08,313 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 POST /api/ssoLogin took 4ms and returned 302 0 bytes
2020-05-28 19:35:08,454 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /index.html took 2ms and returned 200 1191 bytes
2020-05-28 19:35:08,540 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /styles/app.305da315.css took 2ms and returned 200 122092 bytes
2020-05-28 19:35:08,541 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 - 10.30.0.222 GET /scripts/vendor.29b36f82.js took 1ms and returned 200 2036467 bytes
2020-05-28 19:35:08,544 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.30.0.222 GET /scripts/scripts.b3a0b16f.js took 1ms and returned 200 605721 bytes
2020-05-28 19:35:08,546 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /styles/vendor.7dd02a27.css took 1ms and returned 200 279814 bytes
2020-05-28 19:35:08,709 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /fonts/SourceSansPro-Regular.otf took 2ms and returned 200 229588 bytes
2020-05-28 19:35:09,225 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /api/status took 3ms and returned 200 402 bytes
2020-05-28 19:35:09,227 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-12 - GET /api/list/ui_settings returned 401: Authentication failure
2020-05-28 19:35:09,228 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-13 - GET /api/v1/user/current returned 401: Authentication failure
2020-05-28 19:35:09,301 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /api/status took 2ms and returned 200 402 bytes

@nadouani nadouani added this to the 3.5.0-RC1 milestone May 29, 2020
@jimbobnet
Copy link
Contributor

Looks to be working up until where TH is presenting the identity token to the OIC endpoints.
Just on the off chance, try capitalising the b of Bearer
authorizationHeader: "Bearer"

Think I had that problem once.

@shortstack
Copy link
Author

@jimbobnet i tried that :( same 401, thank you though!

@shortstack
Copy link
Author

@nadouani working on this now, but it seems that the user has to already exist in the hive? vs fusionauth adding the user upon successful auth? could you possibly send your working auth configuration for hive 4? thank you!

any thoughts, @nadouani? or could i see your config to compare? and does the user have to exist prior to authing, or can it create that user upon successful auth with fusionauth?

thank you!

@shortstack
Copy link
Author

bump :( stuck getting this to auth with fusionauth receiving a 401

@shortstack
Copy link
Author

tracking here as well: FusionAuth/fusionauth-issues#708

stuck at the moment

@robotdan
Copy link

This is marked as a bug, is that confirmed or is there anything we can do to help on the FusionAuth end of things?

@shortstack
Copy link
Author

@robotdan i'm really not sure where the problem lies, to be honest. i am not a developer for either of these products

@nadouani says he had TheHive 4 working properly with FusionAuth, but this was with them both running on the same system / locally

we absolutely need SSO to work between these platforms in order to continue :(

@mooreds mooreds mentioned this issue Jun 29, 2020
Closed
@robotdan
Copy link

robotdan commented Jun 29, 2020
edited
Loading

I don't know that I was able to recreate your exact results, but with the following configuration I see this in the JavaScript console when I click on "Sign in with SSO".

Hive 3.4.0-1

auth {
  provider = [local,oauth2]

  oauth2 {
    clientId = "bed50ce7-98f2-4562-90d0-852ab29c67b4"
    clientSecret = "My Super Secret Client Secret"
    redirectUri = "http://10.60.6.107:9000/index.html#login"
    responseType = "code"
    grantType = "authorization_code"
    authorizationUrl = "http://localhost:9011/oauth2/authorize"
    tokenUrl = "http://localhost:9011/oauth2/token"
    userUrl = "http://localhost:9011/oauth2/userinfo"
    scope = "openid"
  }

   sso {
        mapper = groups
        autocreate = true
        autoupdate = true
        autologin = false
        attributes {
            login = "sub"
            name = "username"
            groups = "roles"
        }
        defaultRoles = ["read","write"]
        groups.mappings {
            analyst = ["read", "write"]
            admin = ["read", "write", "admin"]
        }
    }
}

image

vendor.52cb873c.js:1 Possibly unhandled rejection: {"data":{"type":"AuthenticationError","message":"Authentication failure"},"status":401,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"./api/list/ui_settings","headers":{"Accept":"application/json, text/plain, */*","X-THE-HIVE-XSRF-TOKEN":"823163b8c580efb2bf9f63b29e29301d3a062bca-1593447758159-68b8123dd09fe4b16b80307c"}},"statusText":"Unauthorized","xhrStatus":"complete","resource":{}}

And this is in the Hive logs

2020-06-29 17:47:40,604 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-06-29 17:47:40,605 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-17 - GET /api/list/ui_settings returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
2020-06-29 17:47:40,609 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-2 - Authentication failure:
	session: AuthenticationError User session not found
	pki: AuthenticationError Certificate authentication is not configured
	key: AuthenticationError Authentication header not found
	init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-06-29 17:47:40,611 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-2 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
	at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

I can also confirm that the Token and Userinfo endpoints configured via the tokenUrl and userUrl values are never called. The redirect occurs after the Authorize request, and it appears some initial authentication occurs and fails before it attempts to exchange the auth code for a token using the Token endpoint.

@shortstack
Copy link
Author

shortstack commented Jun 29, 2020
edited
Loading

glad i'm not alone!

unfortunately, we're aiming for thehive4 (not v3, we've mostly abandoned that in the interest of getting SSO working) for all of this :( FusionAuth/fusionauth-issues#708

which is likely why you had different results

@robotdan
Copy link

Thank you! I just re-read your initial v3 issue and my results match up to yours. FusionAuth/fusionauth-issues#620 My mistake.

I'll see if I can put together a v4 instance and attempt your recreate.

@shortstack shortstack mentioned this issue Jul 1, 2020
Closed
To-om added a commit that referenced this issue Aug 12, 2020
@To-om
#1342 #1291 #946 OAuth2 refactoring
eb184c8
@To-om To-om closed this as completed Aug 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug TheHive3
Projects
None yet
Milestone
3.5.0-RC1
Development

No branches or pull requests
5 participants
@nadouani @robotdan @shortstack @jimbobnet @To-om