Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Incorrect scopes persisted during manual registration of OIDC client #1282

Closed
3 tasks
ossdhaval opened this issue May 4, 2022 · 12 comments
Closed
3 tasks

Incorrect scopes persisted during manual registration of OIDC client #1282

ossdhaval opened this issue May 4, 2022 · 12 comments
Assignees
@ossdhaval @devrimyatar @pujavs
Labels
comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR kind-bug Issue or PR is a bug in existing functionality priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent

Comments

@ossdhaval
Copy link
Contributor

Describe the bug
During manual registration of OIDC client through jans-cli, the scopes that are persisted in MySQL table are not in Dn format.
What is stored : {"v": ["email", "openid", "profile"]}
What should be stored : {"v": ["inum=C4F7,ou=scopes,o=jans", "inum=C4F6,ou=scopes,o=jans", ...]}

To Reproduce
Steps to reproduce the behavior:

  1. Use config-cli on janssen server
  2. Select option for open id connect clients ( option 16)
  3. Then select option for registering new client
  4. Provide all inputs as mentioned below:
displayName: <name-of-choice>
application Type: web
includeClaimsInIdToken  [false]: 
Populate optional fields? y
clientSecret: <secret-of-your-choice>
subjectType: public
tokenEndpointAuthMethod: client_secret_basic
redirectUris: https://test.apache.rp.io/callback
scopes: email_,openid_,profile
responseTypes: code
grantTypes: authorization_code

check the schema JSON that is being used for client registration, mine was

{
  "dn": null,
  "inum": null,
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": null,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": null,
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": null,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": null,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": null,
  "customObjectClasses": null,
  "rptAsJwt": null,
  "accessTokenAsJwt": null,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": null,
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null
}

as shown above, the scopes are not sent in Dn format but rather in simple format.

  1. Go ahead and let CLI create client by typing y on prompt.
  2. Client registration is successful and JSON response is received back. As below
{
  "dn": "inum=68281b57-f108-4fec-9ebe-e51f42b6808c,ou=clients,o=jans",
  "inum": "68281b57-f108-4fec-9ebe-e51f42b6808c",
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": false,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],mysecretpw
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": "myrp",
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": false,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": false,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": [],
  "customObjectClasses": null,
  "rptAsJwt": false,
  "accessTokenAsJwt": false,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": {
    "tlsClientAuthSubjectDn": null,
    "runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims": false,
    "keepClientAuthorizationAfterExpiration": false,
    "allowSpontaneousScopes": false,
    "spontaneousScopes": null,
    "spontaneousScopeScriptDns": null,
    "backchannelLogoutUri": null,
    "backchannelLogoutSessionRequired": false,
    "additionalAudience": null,
    "postAuthnScripts": null,
    "consentGatheringScripts": null,
    "introspectionScripts": null,
    "rptClaimsScripts": null
  },
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null{
  "dn": "inum=68281b57-f108-4fec-9ebe-e51f42b6808c,ou=clients,o=jans",
  "inum": "68281b57-f108-4fec-9ebe-e51f42b6808c",
  "displayName": "myrp",
  "clientSecret": "mysecretpw",
  "frontChannelLogoutUri": null,
  "frontChannelLogoutSessionRequired": false,
  "registrationAccessToken": null,
  "clientIdIssuedAt": null,
  "clientSecretExpiresAt": null,
  "redirectUris": [
    "https://test.apache.rp.io/callback"
  ],mysecretpw
  "claimRedirectUris": null,
  "responseTypes": [
    "code"
  ],
  "grantTypes": [
    "authorization_code"
  ],
  "applicationType": "web",
  "contacts": null,
  "clientName": "myrp",
  "idTokenTokenBindingCnf": null,
  "logoUri": null,
  "clientUri": null,
  "policyUri": null,
  "tosUri": null,
  "jwksUri": null,
  "jwks": null,
  "sectorIdentifierUri": null,
  "subjectType": "public",
  "idTokenSignedResponseAlg": null,
  "idTokenEncryptedResponseAlg": null,
  "idTokenEncryptedResponseEnc": null,
  "userInfoSignedResponseAlg": null,
  "userInfoEncryptedResponseAlg": null,
  "userInfoEncryptedResponseEnc": null,
  "requestObjectSigningAlg": null,
  "requestObjectEncryptionAlg": null,
  "requestObjectEncryptionEnc": null,
  "tokenEndpointAuthMethod": "client_secret_basic",
  "tokenEndpointAuthSigningAlg": null,
  "defaultMaxAge": null,
  "requireAuthTime": false,
  "defaultAcrValues": null,
  "initiateLoginUri": null,
  "postLogoutRedirectUris": null,
  "requestUris": null,
  "scopes": [
    "email",
    "openid",
    "profile"
  ],
  "claims": null,
  "trustedClient": false,
  "lastAccessTime": null,
  "lastLogonTime": null,
  "persistClientAuthorizations": false,
  "includeClaimsInIdToken": false,
  "refreshTokenLifetime": null,
  "accessTokenLifetime": null,
  "customAttributes": [],
  "customObjectClasses": null,
  "rptAsJwt": false,
  "accessTokenAsJwt": false,
  "accessTokenSigningAlg": null,
  "disabled": false,
  "authorizedOrigins": null,
  "softwareId": null,
  "softwareVersion": null,
  "softwareStatement": null,
  "attributes": {
    "tlsClientAuthSubjectDn": null,
    "runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims": false,
    "keepClientAuthorizationAfterExpiration": false,
    "allowSpontaneousScopes": false,
    "spontaneousScopes": null,
    "spontaneousScopeScriptDns": null,
    "backchannelLogoutUri": null,
    "backchannelLogoutSessionRequired": false,
    "additionalAudience": null,
    "postAuthnScripts": null,
    "consentGatheringScripts": null,
    "introspectionScripts": null,
    "rptClaimsScripts": null
  },
  "backchannelTokenDeliveryMode": null,
  "backchannelClientNotificationEndpoint": null,
  "backchannelAuthenticationRequestSigningAlg": null,
  "backchannelUserCodeParameter": null,
  "expirationDate": null,
  "deletable": false,
  "jansId": null,
  "description": null
}
}
  1. Now if you try to use this client for authentication for any user, it doesn't work. jans-auth.log has this error.
(ClientService.java:140) - Found 1 entries for client id = 68281b57-f108-4fec-9ebe-e51f42b6808c
2022-05-02 11:42:00,458 TRACE [qtp982757413-17] 98ae84c5-b630-4282-b31c-461482dfd44b [io.jans.as.server.service.ScopeService] (ScopeService.java:144) - Failed to find entry: 'email'
io.jans.orm.exception.EntryPersistenceException: Failed to find entry: 'email'
  1. Upon checking MySql table using following query, It shows that scopes are not in Dn format.
SELECT jansScope FROM jansdb.jansClnt where doc_id = "68281b57-f108-4fec-9ebe-e51f42b6808c";

Expected behavior

  • Scopes should be persisted in Dn format
  • If config-api expects Dn formatted input from jans-cli then Swagger doc needs to be fixed as it is currently showing simple format
  • Need to understand why jans-auth.log logs this issue as TRACE and not as ERROR. This creates a hidden failure which is not logged at all unless log level is changed to TRACE.

Screenshots
config-api swagger showing scopes accepted in non-Dn format

image

Desktop (please complete the following information):

  • janssen installed on a VM with MySql backend
@ossdhaval ossdhaval added kind-bug Issue or PR is a bug in existing functionality comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent labels May 4, 2022
@devrimyatar
Copy link
Contributor

This is not an issue. User should enter scopes in dn format. See below.

vokoscreenNG-2022-05-04_13-16-29.mp4

@pujavs
Copy link
Contributor

pujavs commented May 4, 2022
edited
Loading

At present config-api acts as a pass through and hence expects the scopes as dn, it takes the scope and saves them as it.
example:
["inum=C4F7,ou=scopes,o=jans", "inum=C4F6,ou=scopes,o=jans", ...]
and not
["email", "openid", "profile"]

Checking with Yuriy regarding the expected behaviour on Scopes should be persisted in Dn format.

@ossdhaval
Copy link
Contributor Author

ossdhaval commented May 4, 2022
edited
Loading

Adding @yuriyz as Puja mentioned above.

Having users to add inum=C4F7,ou=scopes,o=jans for scope email for example is not user friendly. Because everytime use has to look-up the correct Dn for the scope. I understand that adding a new client will not be a frequent operation, but we also use same Dn based values when we get info about a client.

Agreed that CLI may not be able to translate email to inum=C4F7,ou=scopes,o=jans on its own. But can't we have config-api do this translation?

@ossdhaval
Copy link
Contributor Author

@yurem for comments on above.

@yuriyz
Copy link
Contributor

yuriyz commented May 4, 2022

Yes, I agree. We just discussed it with @pujavs .

config-api can check whether scope is in DN format :

  1. if yes -> pass it forward as it does it already
  2. if no -> look up scope by name against db. If scope is found -> use it. If not found -> error.

@pujavs
Copy link
Contributor

pujavs commented May 4, 2022

thanks @yuriyz for your inputs, working on it

@pujavs pujavs mentioned this issue May 5, 2022
Merged
@pujavs
Copy link
Contributor

pujavs commented May 5, 2022
edited
Loading

Implemented check as suggested by @yuriyz as follows;

config-api can check whether scope is in DN format :

  • if DN format yes -> pass it forward as it does it already
  • if not in DN format -> look up scope by name against db. If scope is found -> use it. If not found -> error.

Testing:

Case#1: Valid scopes: If scope is provided in DN format it accepts as is else fetches DN from DB
image

Case#2: Invalid scope name: Will throw exception with details of invalid scope.
Example: "Invalid scope in request -> [abc, xyz]"
image

Case#3: Invalid DN: Will throw exception with details of invalid scope.
image

@pujavs
Copy link
Contributor

pujavs commented May 5, 2022

Related PR 1293

@pujavs
Copy link
Contributor

pujavs commented May 5, 2022

@ossdhaval, change has been merged, request you to please verify

@ossdhaval
Copy link
Contributor Author

Thanks @pujavs
I'll validate this from jans-cli. Does jans-cli need any changes to accommodate this? @mbaser

@devrimyatar
Copy link
Contributor

There is no need any change in CLI.
@pujavs I am getting error
image

@devrimyatar
Copy link
Contributor

When we use id of scope, config-api registers it's dn.

vokoscreenNG-2022-05-09_22-45-29.mp4

Closing the issue

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ossdhaval ossdhaval

@devrimyatar devrimyatar

@pujavs pujavs

Labels
comp-jans-auth-server Component affected by issue or PR comp-jans-cli-tui Component affected by issue or PR comp-jans-config-api Component affected by issue or PR effort-3 Relative effort required for completion of issue or PR kind-bug Issue or PR is a bug in existing functionality priority-3 Issue or PR is relevant to core functions, but does not impede progress. Important, but not urgent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ossdhaval @yuriyz @devrimyatar @pujavs