misp icon indicating copy to clipboard operation
misp copied to clipboard

Published 20 hours ago verified publisher icon NUKIB

OIDC integration with Okta

Open itworkedinthelab opened this issue 2 years ago • 2 comments

Hi all,

Not sure if this counts as a totally new issue or rather a follow on to OIDC Integration #20. I'm trying to integrate with Okta and not having success. I have tried many variations of config changes based on the discussions in #20 and also some other suggestions found online. I am brand new to this and I don't know enough to know if the lack of success is due to something on the Okta side or the OIDC integrations itself.

As the situation stands now, I am redirected to Okta to authenticate and the Okta app appears to be configured correctly to provide the required role claim. From /var/log/httpd/error.log:

oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_roles: misp-access", referer:...

And there are log entries that appear to show successful authorization based on the role. Again from error.log:

mod_authz_core.c(820): [client 192.168.X.X:15786] AH01626: authorization result of Require claim roles:misp-access: granted

However, then there are later log entries further on that that appear to show authorization failed.

mod_authz_core.c(820): [client 192.168.X.X:2782] AH01626: authorization result of Require claim roles:misp-access: denied (no authenticated user yet)

After authenticating with Okta, the web UI redirects to an error page that says:

` An Internal Error Has Occurred.

Error: An Internal Error Has Occurred. Please try your action again. If the problem persists, please contact administrator. `

In /var/www/MISP/app/tmp/logs/error.log, there are the following log entries:

2022-10-31 22:02:39 Error: [JakubOnderka\ErrorResponse] Error 'invalid_client' received from IdP: The audience claim for client_assertion must be the endpoint invoked for the request. Request URL: /users/login Stack Trace: #0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(890): JakubOnderka\OpenIDConnectClient->endpointRequest() #1 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(555): JakubOnderka\OpenIDConnectClient->requestAuthorization() #2 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(22): JakubOnderka\OpenIDConnectClient->authenticate() #3 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(32): Oidc->authenticate() #4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate() #5 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify() #6 /var/www/MISP/app/Controller/UsersController.php(1214): AuthComponent->login() #7 [internal function]: UsersController->login() #8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs() #9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction() #10 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke() #11 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch() #12 {main}

Again, I have tried many different configuration variations both within the Okta app as well as with the MISP instance. Would anyone have thoughts on what the issue might be?

itworkedinthelab avatar Oct 31 '22 22:10 itworkedinthelab

@ondj I'm getting a similar issue now;

oidc_authz successful

[Mon Aug 21 21:39:27.105460 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(199): [client 172.31.0.1:56828] oidc_authz_match_claim: evaluating key "roles"
[Mon Aug 21 21:39:27.105463 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(63): [client 172.31.0.1:56828] oidc_authz_match_value: matching: spec_c=misp-access, key=roles
[Mon Aug 21 21:39:27.105466 2023] [auth_openidc:debug] [pid 420:tid 281472785362896] src/authz.c(451): [client 172.31.0.1:56828] oidc_authz_worker24: require claim/expr 'roles:misp-access' matched
[Mon Aug 21 21:39:27.105471 2023] [authz_core:debug] [pid 420:tid 281472785362896] mod_authz_core.c(820): [client 172.31.0.1:56828] AH01626: authorization result of Require claim roles:misp-access: granted
[Mon Aug 21 21:39:27.105474 2023] [authz_core:debug] [pid 420:tid 281472785362896] mod_authz_core.c(820): [client 172.31.0.1:56828] AH01626: authorization result of <RequireAny>: granted
[Mon Aug 21 21:39:27.105494 2023] [proxy:debug] [pid 420:tid 281472785362896] mod_proxy.c(1265): [client 172.31.0.1:56828] AH01143: Running scheme unix handler (attempt 0)
[Mon Aug 21 21:39:27.105498 2023] [proxy_fcgi:debug] [pid 420:tid 281472785362896] mod_proxy_fcgi.c(1021): [client 172.31.0.1:56828] AH01076: url: fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/index.php proxyname: (null) proxyport: 0
[Mon Aug 21 21:39:27.105501 2023] [proxy_fcgi:debug] [pid 420:tid 281472785362896] mod_proxy_fcgi.c(1028): [client 172.31.0.1:56828] AH01078: serving URL fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/index.php
[Mon Aug 21 21:39:27.105505 2023] [proxy:debug] [pid 420:tid 281472785362896] proxy_util.c(2353): AH00942: FCGI: has acquired connection for (127.0.0.1)

Error once authenticated

2023-08-21 21:39:26 Error: [JakubOnderka\ErrorResponse] Error 'invalid_client' received from IdP: The audience claim for client_assertion must be the endpoint invoked for the request.
Request URL: /users/login
Stack Trace:
#0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(890): JakubOnderka\OpenIDConnectClient->endpointRequest()
#1 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(555): JakubOnderka\OpenIDConnectClient->requestAuthorization()
#2 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(24): JakubOnderka\OpenIDConnectClient->authenticate()
#3 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(33): Oidc->authenticate()
#4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate()
#5 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify()
#6 /var/www/MISP/app/Controller/UsersController.php(1233): AuthComponent->login()
#7 [internal function]: UsersController->login()
#8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#10 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#11 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#12 {main}

scottdermott avatar Aug 21 '23 21:08 scottdermott

I see a fix for jakub-onderka/openid-connect-php here -> https://github.com/JakubOnderka/OpenID-Connect-PHP/compare/master...matthewpeyton:OpenID-Connect-PHP:okta-fix

scottdermott avatar Aug 21 '23 21:08 scottdermott