dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

OpenID login button not showing behind proxy

Open zgael opened this issue 3 years ago • 2 comments

Current Behavior:

I am trying to connect Dependency Track login screen to an OpenID instance (Azure AD). But the OpenID login button is not showing, and I get the "Failed to determine availability of OpenID Connect" message. After digging up a bit, it appears that the call to myapiserver.com/api/v1/oidc/available returns a 504 error code. The thing is I am behind a corporate proxy, and I cannot access internet without proxy. Still, I have declared the following environment variables : http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY, ALPINE_HTTP_PROXY_ADDRESS, ALPINE_HTTP_PROXY_PORT. The proxy declaration works for the vuln DB downloads, but doesn't work for reaching out the OIDC provider (microsoft). I checked the alpine dependency that handles the OIDC part, that leads to the underlying oauth-sdk OIDC. And it seems to me that there is no proxy support in that part. Or rather, environmnent variables for proxy do exist in Alpine, but are never passed to the underlying oauth-sdk OIDC library (that supports proxy), so the server just cannot reach the outside for OIDC.

Did I miss something to make it work ?

Steps to Reproduce:

Try to use an external OIDC provider when inside a corporate environment that needs a proxy to go out.

Expected Behavior:

Proxy is supported to reach the OIDC provider

Environment:

  • Dependency-Track Version: 4.5.0/4.5.1 (apiserver/frontend)
  • Distribution: Docker

Let me know if you need additional information, and thanks for your time.

zgael avatar Sep 08 '22 10:09 zgael

Thanks for reporting @zgael!

I think your analysis is spot on. The nimbus OIDC SDK does support proxies, but it only considers them when defined via Java System properties per default, not via environment variables.

So we need to ensure that we configure HTTP clients used by the SDK according to whatever is configured via ALPINE_HTTP_PROXY_* and / or HTTP*_PROXY environment variables.

nscuro avatar Sep 15 '22 12:09 nscuro

Thanks for your answer !

Do you have any idea when this might get patched ? (As I see no milestone attached to it). Also, is there somewhere a roadmap with the future versions/schedule/content (besides Github milestone page that doesn't indicate a date) ?

Thanks again for your time.

zgael avatar Sep 19 '22 09:09 zgael

Do you have any idea when this might get patched ?

I'd like to get it done in the next version (4.7), as 4.6 is already quite packed and we're in the process on getting that out. Pull Requests are welcome, of course. :)

Also, is there somewhere a roadmap with the future versions/schedule/content (besides Github milestone page that doesn't indicate a date) ?

GitHub is the only place right now. The fact that there's no deadline on the milestones is that this project is run by volunteers, and targeting specific dates does simply not work. This situation will improve in the future, if we can get more maintainers working on the project.

nscuro avatar Sep 28 '22 16:09 nscuro

I was actually considering to submit a PR, but am not so sure about the responsibilities of each library involved.

Maybe I should go and talk to Alpine's maintainer (@stevespringett) who luckily happens to know about Dependency Track ? As I believe there's at least something to be done on Alpine's side, as the package seems to be aware of proxy environment variables (https://github.com/stevespringett/Alpine/blob/7b79d39565020738afc2310764024a2a9217440b/alpine-common/src/main/java/alpine/Config.java#L140) but never makes use of them (Couldn't find a place where proxy variables are used).

Thanks for all your precisions about deadlines, milestones and such. I fully understand what volunteering for such project means, so thanks for your time on this !

zgael avatar Sep 30 '22 14:09 zgael

Steve actually invented Dependency-Track, so yeah I guess he knows about it. 😄

As I believe there's at least something to be done on Alpine's side

You are right. The relevant bits for this issue are all in Alpine. More precisely, in the classes prefixed with Oidc* in the alpine.server.auth package: https://github.com/stevespringett/Alpine/tree/master/alpine-server/src/main/java/alpine/server/auth

The proxy configured via the properties you identified will need to be passed to the Nimbus OAuth2/OIDC SDK that we use. It may not be straightforward in all cases.

For example, the OIDCProviderMetadata class that we use to fetch the OIDC configuration does not seem to support specifying a proxy. A possible solution could be to fetch the JSON using a custom HTTP client (with proxy configured), and then parse it using OIDCProviderMetadata#parse.

I haven't looked into the other areas where such workarounds may be required, but I am happy to help you out if you run into any issues.

nscuro avatar Oct 01 '22 20:10 nscuro

This has been addressed in Alpine and will be shipped with DT 4.8: https://github.com/stevespringett/Alpine/pull/466

nscuro avatar Apr 12 '23 21:04 nscuro

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar May 13 '23 10:05 github-actions[bot]