Kapua SSO after succesfull login fails to load homepage

[mteodor]

Hi ,
I have configured Kapua to work with Gluu openidconnect auth server.
It looks like the authentication goes well , however I'm not getting the homepage
I'm redirected to server login page and after successfully authentication redirection to sso/callback occurs
then Kapua exchanges authorization token with access token and there is message in the console log saying that login is successful however login page is presented again
these are the variables I'm passing to console

    image: kapua/kapua-console:${IMAGE_VERSION}
    ports:
      - 8080:8080
      - 8443:8443
    depends_on:
      - broker
      - db
      - es
      - events-broker
    environment:
      - KAPUA_DISABLE_SSL
      - KAPUA_CA
      - KAPUA_CRT
      - KAPUA_KEY
      - KAPUA_KEY_PASSWORD
      - KAPUA_KEYSTORE
      - KAPUA_KEYSTORE_PASSWORD
      - JAVA_OPTS=-Dcommons.db.schema.update=true 
               -Dcertificate.jwt.private.key=file:///var/opt/jetty/key.pk8
               -Dcertificate.jwt.certificate=file:///var/opt/jetty/cert.pem
               -Dsso.provider=generic
               -Dsso.openid.client.id=xxxxxxxxxxx
               -Dsso.openid.client.secret=XXXXXXXXXXXXXXXX
               -Dsso.site.home.uri=http://portal.solidsense.tk:8080
               -Dsso.openid.redirect.uri=http://portal.solidsense.tk:8080/sso/callback
               -Dsso.generic.openid.server.endpoint.auth=https://gluu-auth.tk/oxauth/restv1/authorize
               -Dsso.generic.openid.server.endpoint.token=https://gluu-auth.tk/oxauth/restv1/token
               -Dconsole.site.home.uri=http://portal.solidsense.tk:8080
               -Dconsole.sso.enabled=true
               -Dconsole.sso.openid.server.endpoint.auth=https://gluu-auth.tk/oxauth/restv1/authorize
               -Dconsole.sso.openid.server.endpoint.token=https://gluu-auth.tk/oxauth/restv1/token
               -Dconsole.sso.openid.client.id=xxxxxxxxxxxx
               -Djavax.net.ssl.trustStore=/resources/truststore.ks
               -Djavax.net.ssl.trustStorePassword=xxx
               -Dconsole.sso.openid.redirect.uri=sso/callback
               -Dauthentication.credential.jwt.issuer.allowed=https://gluu-auth.tk
               -Dauthentication.credential.jwt.audience.allowed=XXXXXXXXXXX

from the console log

20:55:29.545 [qtp913190639-14] INFO  o.e.k.a.c.c.s.GwtAuthorizationServiceImpl - >>> THIS IS INFO <<<
20:55:29.546 [qtp913190639-14] WARN  o.e.k.a.c.c.s.GwtAuthorizationServiceImpl - >>> THIS IS WARN <<<
20:55:29.546 [qtp913190639-14] INFO  o.e.k.s.a.s.AuthenticationServiceShiroImpl - Shiro global session timeout set to indefinite.
20:55:29.546 [qtp913190639-14] INFO  o.e.k.s.a.s.AuthenticationServiceShiroImpl - Shiro global session validator scheduler disabled.
20:55:30.102 [qtp913190639-14] INFO  eclipselink.logging.all - EclipseLink, version: Eclipse Persistence Services - 2.6.3.v20160428-59c81c5
20:55:30.236 [qtp913190639-14] INFO  eclipselink.logging.connection - /file:/var/opt/jetty/webapps/root/WEB-INF/lib/kapua-user-internal-1.1.0-SNAPSHOT.jar_kapua-user login successful
20:55:31.116 [qtp913190639-14] WARN  org.eclipse.kapua.KapuaException - Could not load Exception Messages Bundle for Locale en_US

[lorthirk]

Ok, I spent some time debugging SSO and I found a few issues. I'm going to list them here in the meanwhile.

• The org.eclipse.kapua:kapua-security-registration-simple must be added to che Console dependencies (in console/web/pom.xml) in order to automatically create the account and the related user in Kapua
• A few system properties must be set in Kapua (details in service/security/registration/simple/src/main/resources/kapua-security-registration-simple-setting.properties):
  -auto.registration.simple.rootAccount=kapua-sys
  -auto.registration.simple.maximumNumberOfChildUsers=1
  -auto.registration.simple.accountExpirationDate.days=30
• The SSO user must have an email set in the Identity Provider server, otherwise the creation would fail
• In SimpleRegistrationProcessor.java the password that is going to be created is not strong enough, so the registration will fail. I prepared a patch by adding a capital lettter, a symbol and a number but it should be probably a random password or something else.

  kapua/service/security/registration/simple/src/main/java/org/eclipse/kapua/security/registration/simple/SimpleRegistrationProcessor.java

  Line 319 in 0a6366c

  CredentialCreator credential = credentialFactory.newCreator(account.getId(), user.getId(), CredentialType.PASSWORD, baseName + "-password", CredentialStatus.ENABLED, null);

• I also had an issue where I couldn't login even after all these fixes, but after clicking on SSO Login I was able to get in. It only happened once, so I wasn't able to get a consistent test case.

Please test these changes and tell me if they're enough to have you automatically logged after the SSO.

[mteodor]

do you have your github branch with these changes?

[lorthirk]

Yes, you can find the branch here

[mteodor]

@lorthirk
I'm actually getting exception in JwtAuthenticatingRealm ( look below )
which is not being caught in GwtAuthorizationServiceImpl since it is not KapuaException and since there is no attempt to create account

and exception in JwtAuthenticatingRealm is UnkonwonAcccount

any

09:26:31.333 [qtp913190639-41] ERROR o.e.k.s.p.AbstractSingleSignOnService - JSON RESP:{"access_token":"eyJraWQiOiI0ODFhZTIyOS03N2Y0LTQ4ZTAtYjg5Ni03Y2QxNWY0NGI3OTMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUtYXV0aC50a
yIsImF1ZCI6IkAhMURBOS5CQ0I0LjdCMzIuQjcyMSEwMDAxITAyMkYuNEVFRCEwMDA4ITU5QjAuOTkwRS4zMDUxLkNBNTQiLCJzY29wZSI6WyJvcGVuaWQiXSwiY2xpZW50X2lkIjoiQCExREE5LkJDQjQuN0IzMi5CNzIxITAwMDEhMDIyRi40RUVEITAwMDghNTlCMC45OTBFLjMwNTEuQ0E1NCIsInVzZXJuYW1lIjo
ibWlya28iLCJ0b2tlbl90eXBlIjoiYmVhcmVyIiwiZXhwIjoxNTU1NjY2MjkxLCJpYXQiOjE1NTU2NjU5OTEsInN1YiI6IlBxVGlsSkdQa2RLNG9MTUFoWEhFVGRzbjFCNFdVc3kzSDc0enZ6cjlyNkUifQ.DGs5AuEv5kTIVjwDEK9c9o4HrentFc_2W9Sl-cEtSj6KnYV-MLdO6vDFbVHfs8doxuPN02TJij8GWMVAy9
oAvaNszDYH6zD1xwxLVfa8WuGW20hX_A9CdfeEQvpNAywl-AabGLxqnXz1z31ySEdDZQQf2H-EvC-QpvPz5X8nvbOOPH-pfYjRLngxXMN7WGGjP7pCEvF-JvE45Iqc0vk9V9Lfomymi2ll4sNppyiQMYuuCD-BgGndTw6vXDCgwwXUsooEX51lDE0Rok9dPLWl4zYFADpSel5yoBbdVSpY0YnyMZv2OR2YN7QMDdOEYPu9
VNQ34cuP8lQFipSfUGRU7g","token_type":"bearer","expires_in":299,"refresh_token":"358cace7-780b-457d-88d9-03b288341834","id_token":"eyJraWQiOiI0ODFhZTIyOS03N2Y0LTQ4ZTAtYjg5Ni03Y2QxNWY0NGI3OTMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ
odHRwczovL2dsdXUtYXV0aC50ayIsImF1ZCI6IkAhMURBOS5CQ0I0LjdCMzIuQjcyMSEwMDAxITAyMkYuNEVFRCEwMDA4ITU5QjAuOTkwRS4zMDUxLkNBNTQiLCJleHAiOjE1NTU2Njk1OTEsImlhdCI6MTU1NTY2NTk5MSwiYXV0aF90aW1lIjoxNTU1NjY1OTkwLCJhdF9oYXNoIjoiZkhPd2M2blptTVdOc3pVZ0hXO
XppQSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInN1YiI6IlBxVGlsSkdQa2RLNG9MTUFoWEhFVGRzbjFCNFdVc3kzSDc0enZ6cjlyNkUifQ.NMAK_D2yv6hCuk4sWXbGeH7kzvz6Gp_9weTXOQQzW3uVOsoMx8WrYOALM11p5ZRnm4a35WygYdvNs-3SGxhIT1wncrwB6xE8P50S
xe8icPpR6vygSyeLUwtzdPqN_EzuHD4sJcPwUeA09i2NHs9ZmjSUIDkF93hfwqrf6d9WWWd0zd-e-fXa1IznjVn3NcN5N7QCNs53zgKo_SFv_HXAr64Bdo64aZ_gvZVSqElxdissYYO0al4gaMWUBJYaY9x8xm-yfrMpPIYdrlOYepAMpL2E4J0lpZ0XxbUmnLSYaUJu80dtYpPwPSkOLhKv26PbFSsYPvD5URk8xnTcAA
30Sw"}
09:26:31.333 [qtp913190639-41] ERROR o.e.k.a.c.c.s.SsoCallbackServlet - Home uri:http://portal.solidsense.tk:8080/console.jsp?gwt.codesvr=127.0.0.1:9997
09:27:05.433 [qtp913190639-43] INFO  o.e.k.a.c.c.s.GwtAuthorizationServiceImpl - >>> THIS IS INFO <<<
09:27:05.433 [qtp913190639-43] WARN  o.e.k.a.c.c.s.GwtAuthorizationServiceImpl - >>> THIS IS WARN <<<
09:27:05.434 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - realms used:userPassAuthenticatingRealm
09:27:05.434 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - realms used:kapuaAuthorizingRealm
09:27:05.434 [qtp913190639-43] INFO  o.e.k.s.a.s.AuthenticationServiceShiroImpl - Shiro global session timeout set to indefinite.
09:27:05.434 [qtp913190639-43] INFO  o.e.k.s.a.s.AuthenticationServiceShiroImpl - Shiro global session validator scheduler disabled.
09:27:05.506 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - shiro login:org.eclipse.kapua.service.authentication.shiro.JwtCredentialsImpl@6d4e89ab
09:27:05.506 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - JwtCredentialsImpl:
09:27:05.973 [qtp913190639-43] ERROR o.e.k.s.a.s.r.JwtAuthenticatingRealm - token claims:JWT Claims Set:{iss=https://gluu-auth.tk, aud=@!1DA9.BCB4.7B32.B721!0001!022F.4EED!0008!59B0.990E.3051.CA54, scope=[openid], client_id=@!1DA9.BCB4.7B
32.B721!0001!022F.4EED!0008!59B0.990E.3051.CA54, username=mirko, token_type=bearer, exp=1555666291, iat=1555665991, sub=PqTilJGPkdK4oLMAhXHETdsn1B4WUsy3H74zvzr9r6E}
09:27:06.356 [qtp913190639-43] INFO  eclipselink.logging.all - EclipseLink, version: Eclipse Persistence Services - 2.6.3.v20160428-59c81c5
09:27:06.483 [qtp913190639-43] INFO  eclipselink.logging.connection - /file:/var/opt/jetty/webapps/root/WEB-INF/lib/kapua-user-internal-1.1.0-SNAPSHOT.jar_kapua-user login successful
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '139' 'org.eclipse.kapua.service.authentication.shiro.realm.JwtAuthenticatingRealm' 'doGetAuthenticationInfo' 
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '568' 'org.apache.shiro.realm.AuthenticatingRealm' 'getAuthenticationInfo' 
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '58' 'org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticator' 'doMultiRealmAuthentication' 
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '269' 'org.apache.shiro.authc.pam.ModularRealmAuthenticator' 'doAuthenticate' 
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '198' 'org.apache.shiro.authc.AbstractAuthenticator' 'authenticate' 
09:27:06.637 [qtp913190639-43] ERROR o.e.k.s.a.s.AuthenticationServiceShiroImpl - ShiroException: '106' 'org.apache.shiro.mgt.AuthenticatingSecurityManager' 'authenticate' 

[lorthirk]

Unfortunately this log isn't that helpful, since I can't understand exactly where it is failing and why. It looks (but again, I can't be 100% sure) that somehow the token that returns from the SSO server isn't correct anyway. I tested my fork against latest Keycloak and apart from setting up an user, a console client and the related audience I managed to get in with SSO. It would be great if you could provide some more details on your case.

[mteodor]

Thank you @lorthirk for your support
It looks to me that although successfully authenticated user is not created so when SsoCallbackServlet redirects to home page with access token appended GwtAuthorizationService fails to authorize request since it cannot find user.
I'll provide detailed log later.

[mteodor]

Also I'm getting lots of these in the logs all of sudden
This is from the clean code pulled from git right now
Do you know what is the cause for this?

15:15:52.986 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/services - Error: Not Found
15:15:52.988 [qtp913190639-16] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/nodes - Error: Not Found
15:15:53.125 [qtp913190639-16] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /apis/storage.k8s.io/v1beta1/csidrivers - Error: Not Found
15:15:53.307 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /apis/apps/v1/statefulsets - Error: Not Found
15:15:53.308 [qtp913190639-16] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/persistentvolumeclaims - Error: Not Found
15:15:53.309 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /apis/apps/v1/replicasets - Error: Not Found
15:15:53.324 [qtp913190639-15] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/services - Error: Not Found
15:15:53.527 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/nodes - Error: Not Found
15:15:53.559 [qtp913190639-10] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/services - Error: Not Found
15:15:53.604 [qtp913190639-10] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager - Error: Not Found
15:15:53.606 [qtp913190639-10] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/namespaces/kube-system/endpoints - Error: Not Found
15:15:53.612 [qtp913190639-15] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /apis/storage.k8s.io/v1/storageclasses - Error: Not Found
15:15:53.612 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /apis/policy/v1beta1/poddisruptionbudgets - Error: Not Found
15:15:53.729 [qtp913190639-13] ERROR o.e.k.a.c.c.s.KapuaErrorHandlerServlet - Processed HTTP error! Code: 404 - Request: /api/v1/pods - Error: Not Found

[lorthirk]

Well... it looks like someone is trying to access those URLs, that doesn't exist in Kapua. Looks like a Kubernetes client is pointing to that machine?

[mteodor]

thanks,
as for the login authentication problem it seems that access_token that kapua receives doesnt contain email ( only id_token contains email ) I'll have to check with gluu if it is possible to have email claim in access_token though i'm not sure that is in accordance to openidconnect standard
whould it be possible to use info from id_token?

EDIT: it is not possible to have email in jwt access_token

[mteodor]

I've switched to Keycloak
I'm noticing that sometimes it doesnt let me in right away after the authentication, I have to confirm the url in the address bar then it lets me in or opens login page again and after I press sso login again than it lets me in.

[lorthirk]

As I said It happened to me as well, but not consistently enough to figure out why. Any input is highly appreciated!

[mteodor]

I think that it may have something to do with login timeout, I've increased that to 2 min
Also I noticed that logout from kapua doesn't logout from keycloak is that configurable maybe?

[lorthirk]

IIRC we don't have a login timeout option set anywhere, but I should double check for confirmation.

Kapua session and Keycloak session are absolutely different, and I honestly see this correct. Do you have a different view on this perhaps?

[mteodor]

For sessions, yes you are right they are different, however it may be required that when logged out from kapua you logout from OP
https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

[lorthirk]

Good catch. Since it's coming from the OpenID Connect specification we should implement this.

[manuraf]

I've switched to Keycloak
I'm noticing that sometimes it doesnt let me in right away after the authentication, I have to confirm the url in the address bar then it lets me in or opens login page again and after I press sso login again than it lets me in.

@mteodor can you post your docker-compose with JAVA_OPTS about Keycloak configuration?
Thank you

[lorthirk]

May I suggest you to also use the Kapua room on Gitter for discussions, so we can keep the issue a little bit cleaner?

[mteodor]

 kapua-console:
    image: kapua/kapua-console:${IMAGE_VERSION}
    ports:
      - 8090:8080
      - 8443:8443
    depends_on:
      - broker
      - db
      - es
      - events-broker
    environment:
      - KAPUA_DISABLE_SSL
      - KAPUA_CA
      - KAPUA_CRT
      - KAPUA_KEY
      - KAPUA_KEY_PASSWORD
      - KAPUA_KEYSTORE
      - KAPUA_KEYSTORE_PASSWORD
   
- JAVA_OPTS=-Dcommons.db.schema.update=true 
               -Dcommons.db.connection.host=$SQL_DB_ADDR
               -Dcommons.db.connection.port=$SQL_DB_PORT
               -Dbroker.host=$BROKER_ADDR
               -Ddatastore.elasticsearch.nodes=$DATASTORE_ADDR
               -Ddatastore.elasticsearch.port=$DATASTORE_PORT
               -Ddatastore.client.class=$DATASTORE_CLIENT
               -Dcommons.eventbus.url=$SERVICE_BROKER_ADDR
               -Dcertificate.jwt.private.key=file:///var/opt/jetty/key.pk8
               -Dcertificate.jwt.certificate=file:///var/opt/jetty/cert.pem
               -Dsso.provider=keycloak
               -Dsso.openid.client.id=console
               -Dsso.openid.client.secret=9e8a0b13-08f1-4859-9a87-a1138058d616
               -Dsite.home.uri=http://kapua.server.com/console.jsp
               -Dsso.openid.redirect.uri=http://kapua.server.com/sso/callback
               -Dsso.keycloak.realm=kapua
               -Dsso.keycloak.uri=http://auth.server.com
               -Dconsole.sso.enabled=true
               -Dconsole.sso.redirect.uri=http://kapua.server.com/sso/callback
......
kapua-api:
    image: kapua/kapua-api:${IMAGE_VERSION}
    ports:
      - 8081:8080
      - 8444:8443
    depends_on:
      - broker
      - db
      - es
      - events-broker
    environment:
      - KAPUA_DISABLE_SSL
      - KAPUA_CA
      - KAPUA_CRT
      - KAPUA_KEY
      - KAPUA_KEY_PASSWORD
      - KAPUA_KEYSTORE
      - KAPUA_KEYSTORE_PASSWORD
      - JAVA_OPTS=-Dcommons.db.schema.update=true 
               -Dcommons.db.connection.host=$SQL_DB_ADDR
               -Dcommons.db.connection.port=$SQL_DB_PORT
               -Dbroker.host=$BROKER_ADDR
               -Ddatastore.elasticsearch.nodes=$DATASTORE_ADDR
               -Ddatastore.elasticsearch.port=$DATASTORE_PORT
               -Ddatastore.client.class=$DATASTORE_CLIENT
               -Dcommons.eventbus.url=$SERVICE_BROKER_ADDR
               -Dcertificate.jwt.private.key=file:///var/opt/jetty/key.pk8
               -Dcertificate.jwt.certificate=file:///var/opt/jetty/cert.pem
               -Dauthentication.credential.jwt.issuer.allowed=http://auth.server.com/auth/realms/kapua

and you need .env file in the directory where docker-deploy.sh is
contents of .env

BROKER_ADDR=broker
BROKER_PORT=1883

DATASTORE_ADDR=es
DATASTORE_PORT=9200
DATASTORE_CLIENT=org.eclipse.kapua.service.datastore.client.rest.RestDatastoreClient

SQL_DB_ADDR=db
SQL_DB_PORT=3306


SERVICE_BROKER_ADDR=failover:\(amqp://events-broker:5672\)?jms.sendTimeout=10

[Coduz]

Closing for inactivity.
Feel free to reopen if you need it.