Cortex icon indicating copy to clipboard operation
Cortex copied to clipboard
verified publisher icon TheHive-Project

Invalid URL error - Group Parsing

Open vatsaldesai93 opened this issue 4 years ago • 2 comments

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) Ubuntu
Cortex version / git hash 3.1.0
Package Type Binary
Browser type & version N/A

Problem Description

Invalid URL error when attempting to use Group Mapper for OAUTH. Cortex mandates the use of Groups URL as per https://github.com/TheHive-Project/Cortex/blob/619b28a3cd2b9a46bb553baf1b647b25405620df/app/org/thp/cortex/services/mappers/GroupUserMapper.scala while the same info can be fetched from User URL

This seems to be the same error that was originally identified for TheHive by ananth07reddy in https://github.com/TheHive-Project/TheHive/issues/1010 It was consequently fixed in https://github.com/TheHive-Project/TheHive/pull/1112 but never in Cortex.

Steps to Reproduce

  1. Setup OIDC/OAUTH2 config for Cortex with SSO mapper set to group as per https://github.com/TheHive-Project/CortexDocs/blob/master/admin/admin-guide.md#oauth2openid-connect
  2. Don't provide the Groups URL as group information needs to be fetched from User URL.
  3. Attempt to SSO login from the front end and observe logs for Invalid URL

Possible Solutions

Maybe port the solution from theHive https://github.com/TheHive-Project/TheHive/pull/1112 to Cortex

Complementary information

[error] o.e.s.a.MultiAuthSrv - Authentication failure
org.elastic4play.AuthenticationError: OAuth2 authentication failure: Invalid URL 
	at org.thp.cortex.services.OAuth2Srv$$anonfun$$nestedInanonfun$authenticate$1$1.applyOrElse(OAuth2Srv.scala:96)
	at org.thp.cortex.services.OAuth2Srv$$anonfun$$nestedInanonfun$authenticate$1$1.applyOrElse(OAuth2Srv.scala:95)
	at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:56)
	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:93)
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:93)

vatsaldesai93 avatar Feb 17 '21 06:02 vatsaldesai93

I have the same issue. When using OIDC by setting sso.groups.url to null, Cortex still tries to take the group from this URL. Cortex should take the users groups from the first rest call and not try to fetch the sso.groups.url.

As stated in the official doc: URL to retreive groups (leave empty if you are using OIDC)

We have the same issue in TheHive4.

masdeeper avatar Jul 20 '21 16:07 masdeeper

Same issue here as well running Cortex 3.1.0.

ttronier avatar Aug 30 '21 10:08 ttronier