misp icon indicating copy to clipboard operation
misp copied to clipboard

Published 20 hours ago verified publisher icon NUKIB

API not working with OIDC

Open ghost opened this issue 2 years ago • 6 comments

When I try to access MISP over API, with OICD configured I get 403.

  • I have tried with fresh auth keys, and even with MISP's own REST client in the web UI

Apache logs this:

{
  "@timestamp.nanos": 319537,
  "file": "[censored]",
  "headers": {
  },
  "host": "worker01-misp_vector",
  "loghost": "worker01-misp_misp",
  "message": "[censored] [censored] - [05/May/2022:08:58:34 +0000] "POST /events/index HTTP/1.1" 403 954 "-" "python-requests/2.27.1"",
  "message_key": null,
  "offset": 449880,
  "partition": 2,
  "severity": "info",
  "source_type": "misp",
  "tag": "apache-access"
}

My request header:

{'Authorization': 'xxx', 'Content-Type': 'application/json', 'Accept': 'application/json'}

Do you have any idea what could course this?

ghost avatar May 05 '22 09:05 ghost

I had this issue a view times but I haven't had time to analyze the problem. For me the keys have been working, after restarting httpd inside the container using supervisorctl.

Benni0 avatar May 05 '22 09:05 Benni0

@Benni0 I tried with /usr/bin/supervisorctl restart httpd but it didnt work. Then I tried to restart the container, that didn't work neither.

As I can understand from OpenID Connect Documentation Apache will not authenticate the API Key, but only check if Authorization is set in the header, and then forward the request to MISP. So shouldn't my deny logs originate from MISP and not Apache?

ghost avatar May 05 '22 10:05 ghost

In apaches misp.conf a rewrite map is defined which checks the key against cake: RewriteMap authkeys "prg:/var/www/MISP/app/Console/cake user authkey_valid" apache:apache

If you execute the cake command inside the container you should get '1' as result when you insert your API key. As I remember this worked when I had this problem.

Benni0 avatar May 05 '22 11:05 Benni0

I can get it working with the users personal access key, but the ones manual created in /auth_keys/index doesn't work.

ghost avatar May 05 '22 12:05 ghost

@gso-trifork-security Advanced auth keys are disabled by default. If you want to use them, you have to set SECURITY_ADVANCED_AUTHKEYS to yes. See https://github.com/NUKIB/misp#security

ondj avatar May 06 '22 14:05 ondj

I know this is almost two years old but I'm seeing the same behaviour with an user we're using for monitoring purposes, suddenly the user gets a 403 and our checks fail. One remediation seems to be to log in as the user, upon login the checks are successful. Havent been able to find anything that suggests the underlying reasons for this behavior.

dygland avatar Mar 07 '24 06:03 dygland