Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect scopes persisted during manual registration of OIDC client #1282

Closed
3 tasks
ossdhaval opened this issue May 4, 2022 · 12 comments
Closed
3 tasks

Incorrect scopes persisted during manual registration of OIDC client #1282

ossdhaval opened this issue May 4, 2022 · 12 comments
Assignees
@ossdhaval @devrimyatar @pujavs
Labels
comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR kind-bug Issue or PR is a bug in existing functionality priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent

Comments

@ossdhaval
Copy link
Contributor

Describe the bug
During manual registration of OIDC client through jans-cli, the scopes that are persisted in MySQL table are not in Dn format.
What is stored : {"v": ["email", "openid", "profile"]}
What should be stored : {"v": ["inum=C4F7,ou=scopes,o=jans", "inum=C4F6,ou=scopes,o=jans", ...]}

To Reproduce
Steps to reproduce the behavior:

  1. Use config-cli on janssen server
  2. Select option for open id connect clients ( option 16)
  3. Then select option for registering new client
  4. Provide all inputs as mentioned below:
displayName: <name-of-choice>
application Type: web
includeClaimsInIdToken  [false]: 
Populate optional fields? y
clientSecret: <secret-of-your-choice>
subjectType: public
tokenEndpointAuthMethod: client_secret_basic
redirectUris: https://test.apache.rp.io/callback
scopes: email_,openid_,profile
responseTypes: code
grantTypes: authorization_code

check the schema JSON that is being used for client registration, mine was

{
  "dn": null,
  "inum": null,
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": null,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": null,
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": null,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": null,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": null,
  "customObjectClasses": null,
  "rptAsJwt": null,
  "accessTokenAsJwt": null,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": null,
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null
}

as shown above, the scopes are not sent in Dn format but rather in simple format.

  1. Go ahead and let CLI create client by typing y on prompt.
  2. Client registration is successful and JSON response is received back. As below
{
  "dn": "inum=68281b57-f108-4fec-9ebe-e51f42b6808c,ou=clients,o=jans",
  "inum": "68281b57-f108-4fec-9ebe-e51f42b6808c",
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": false,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],mysecretpw
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": "myrp",
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": false,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": false,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": [],
  "customObjectClasses": null,
  "rptAsJwt": false,
  "accessTokenAsJwt": false,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": {
    "tlsClientAuthSubjectDn": null,
    "runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims": false,
    "keepClientAuthorizationAfterExpiration": false,
    "allowSpontaneousScopes": false,
    "spontaneousScopes": null,
    "spontaneousScopeScriptDns": null,
    "backchannelLogoutUri": null,
    "backchannelLogoutSessionRequired": false,
    "additionalAudience": null,
    "postAuthnScripts": null,
    "consentGatheringScripts": null,
    "introspectionScripts": null,
    "rptClaimsScripts": null
  },
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null{
  "dn": "inum=68281b57-f108-4fec-9ebe-e51f42b6808c,ou=clients,o=jans",
  "inum": "68281b57-f108-4fec-9ebe-e51f42b6808c",
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": false,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],mysecretpw
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": "myrp",
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": false,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": false,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": [],
  "customObjectClasses": null,
  "rptAsJwt": false,
  "accessTokenAsJwt": false,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": {
    "tlsClientAuthSubjectDn": null,
    "runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims": false,
    "keepClientAuthorizationAfterExpiration": false,
    "allowSpontaneousScopes": false,
    "spontaneousScopes": null,
    "spontaneousScopeScriptDns": null,
    "backchannelLogoutUri": null,
    "backchannelLogoutSessionRequired": false,
    "additionalAudience": null,
    "postAuthnScripts": null,
    "consentGatheringScripts": null,
    "introspectionScripts": null,
    "rptClaimsScripts": null
  },
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null
}
}
  1. Now if you try to use this client for authentication for any user, it doesn't work. jans-auth.log has this error.
(ClientService.java:140) - Found 1 entries for client id = 68281b57-f108-4fec-9ebe-e51f42b6808c
2022-05-02 11:42:00,458 TRACE [qtp982757413-17] 98ae84c5-b630-4282-b31c-461482dfd44b [io.jans.as.server.service.ScopeService] (ScopeService.java:144) - Failed to find entry: 'email'
io.jans.orm.exception.EntryPersistenceException: Failed to find entry: 'email'
  1. Upon checking MySql table using following query, It shows that scopes are not in Dn format.
SELECT jansScope FROM jansdb.jansClnt where doc_id = "68281b57-f108-4fec-9ebe-e51f42b6808c";

Expected behavior

  • Scopes should be persisted in Dn format
  • If config-api expects Dn formatted input from jans-cli then Swagger doc needs to be fixed as it is currently showing simple format
  • Need to understand why jans-auth.log logs this issue as TRACE and not as ERROR. This creates a hidden failure which is not logged at all unless log level is changed to TRACE.

Screenshots
config-api swagger showing scopes accepted in non-Dn format

image

Desktop (please complete the following information):

  • janssen installed on a VM with MySql backend
@ossdhaval ossdhaval added kind-bug Issue or PR is a bug in existing functionality comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent labels May 4, 2022
@devrimyatar
Copy link
Contributor

This is not an issue. User should enter scopes in dn format. See below.

vokoscreenNG-2022-05-04_13-16-29.mp4

@pujavs
Copy link
Contributor

pujavs commented May 4, 2022
edited
Loading

At present config-api acts as a pass through and hence expects the scopes as dn, it takes the scope and saves them as it.
example:
["inum=C4F7,ou=scopes,o=jans", "inum=C4F6,ou=scopes,o=jans", ...]
and not
["email", "openid", "profile"]

Checking with Yuriy regarding the expected behaviour on Scopes should be persisted in Dn format.

@ossdhaval
Copy link
Contributor Author

ossdhaval commented May 4, 2022
edited
Loading

Adding @yuriyz as Puja mentioned above.

Having users to add inum=C4F7,ou=scopes,o=jans for scope email for example is not user friendly. Because everytime use has to look-up the correct Dn for the scope. I understand that adding a new client will not be a frequent operation, but we also use same Dn based values when we get info about a client.

Agreed that CLI may not be able to translate email to inum=C4F7,ou=scopes,o=jans on its own. But can't we have config-api do this translation?

@ossdhaval
Copy link
Contributor Author

@yurem for comments on above.

@yuriyz
Copy link
Contributor

yuriyz commented May 4, 2022

Yes, I agree. We just discussed it with @pujavs .

config-api can check whether scope is in DN format :

  1. if yes -> pass it forward as it does it already
  2. if no -> look up scope by name against db. If scope is found -> use it. If not found -> error.

@pujavs
Copy link
Contributor

pujavs commented May 4, 2022

thanks @yuriyz for your inputs, working on it

@pujavs pujavs mentioned this issue May 5, 2022
Merged
@pujavs
Copy link
Contributor

pujavs commented May 5, 2022
edited
Loading

Implemented check as suggested by @yuriyz as follows;

config-api can check whether scope is in DN format :

  • if DN format yes -> pass it forward as it does it already
  • if not in DN format -> look up scope by name against db. If scope is found -> use it. If not found -> error.

Testing:

Case#1: Valid scopes: If scope is provided in DN format it accepts as is else fetches DN from DB
image

Case#2: Invalid scope name: Will throw exception with details of invalid scope.
Example: "Invalid scope in request -> [abc, xyz]"
image

Case#3: Invalid DN: Will throw exception with details of invalid scope.
image

@pujavs
Copy link
Contributor

pujavs commented May 5, 2022

Related PR 1293

@pujavs
Copy link
Contributor

pujavs commented May 5, 2022

@ossdhaval, change has been merged, request you to please verify

@ossdhaval
Copy link
Contributor Author

Thanks @pujavs
I'll validate this from jans-cli. Does jans-cli need any changes to accommodate this? @mbaser

@devrimyatar
Copy link
Contributor

There is no need any change in CLI.
@pujavs I am getting error
image

@devrimyatar
Copy link
Contributor

When we use id of scope, config-api registers it's dn.

vokoscreenNG-2022-05-09_22-45-29.mp4

Closing the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ossdhaval ossdhaval

@devrimyatar devrimyatar

@pujavs pujavs

Labels
comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR kind-bug Issue or PR is a bug in existing functionality priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ossdhaval @yuriyz @devrimyatar @pujavs