Hi Florian,
it is a bit hard following the mails :)
The UI needs to selects the auth stack to use and sends the selected
stack to the backend, for the given auth type this can include a list of
ENV variables that the backend expects to be mapped to key/value pairs
in the login message. As suggested in my first mail plese raise the
loglevel for the "auth" category and provide me with the logs, this
might help me to spot the problems as it tells me what part does not work.
a) You do not have the stack selected at all so the envmap is not send
b) The ENV is not present when needed, thats a bit clumsy especially
with mod_auth_openidc as you wont see the ENV Vars from this module
outside the protected path
c) The role is send but not accepted by the backend - there might be a
config issue/bug in the login module where the role is mapped.
best regards
Oliver
On 13.12.22 15:54, Cramoisan, Florian (Aruba PoC) wrote:
Hi,
Just updating on the status of the investigation in this thread.
I located the responsible code in the UI.pm module for the webui :
Line 613
my $data;
if ($auth->{envkeys}) {
foreach my $key (keys %{$auth->{envkeys}}) {
my $envkey = $auth->{envkeys}->{$key};
$self->logger()->debug("Try to load $key from $envkey");
next unless defined ($ENV{$envkey});
$data->{$key} = Encode::decode('UTF-8', $ENV{$envkey},
Encode::LEAVE_SRC | Encode::FB_CROAK);
}
# legacy support
} elsif (my $user = $ENV{'OPENXPKI_USER'} ||
$ENV{'REMOTE_USER'} || '') {
$data->{username} = $user;
$data->{role} = $ENV{'OPENXPKI_GROUP'} if($ENV{'OPENXPKI_GROUP'});
}
It appears that this bit is expecting an answer from the backend with
details on the auth stack selected, thus including the possible
envkeys. However, as displayed during the trace, the answer contains
an empty PARAMS field, thus skipping that part.
## Debug
$self->logger()->debug('ENV Vars -- email:' .
$ENV{'OIDC_CLAIM_unique_name'} . ' role:' . $ENV{'OPENXPKI_SSO_ROLE'});
$self->logger()->debug('Reply: ' . Dumper $reply);
2022/12/13 14:33:18 DEB ENV Vars -- email:[email protected]
role:RA Operator [pid=21570|sid=4d73]
2022/12/13 14:33:18 DEB Reply: $VAR1 = {
'SERVICE_MSG' => 'GET_CLIENT_LOGIN',
'PARAMS' => {}
};
[pid=21570|sid=4d73]
The good news is that I was able to use the legacy OPENXPKI_GROUP and
can confirm the env is indeed working as expected !
The bad news is that I don’t think this empty answer is unexpected, or
maybe it is for NoAuth ?
I’ll continue digging 😊
Please let me know if you think this is a bug and should be logged as
such !
Best regards
*Florian Cramoisan*
*PoC Engineer - WW**| **HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831**|**ACCX#1261**|**ACDX#1282 **| ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you are
not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete all
copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”./
*From: *Cramoisan, Florian (Aruba PoC) <[email protected]>
*Date: *Tuesday, 13 December 2022 at 11:34
*To: *[email protected]
<[email protected]>
*Subject: *Re: [OpenXPKI-users] Help required trying to pass role
information from SSO on OpenXPKI
Hi Oliver,
Thanks for your answer !
I am still struggling to get these apache ENV variables passed to
openXPKI as role / email.
Current situation
ExternalAuth:
type: NoAuth
BasicAuth:
handler: ExternalAuth
type: client
envkeys:
email: OIDC_CLAIM_email
role: SSO_XPKI_ROLE
I have done a small python and perl script and can confirm that these
two variables are accessible from cgi as environment variables :
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<pre>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
print "</pre>\n";
Giving me (extract)
OIDC_CLAIM_email = [email protected]
SSO_XPKI_ROLE = RA Operator
I am trying to enable some debug and dumper in order to understand
where this is going wrong, and I can see that the “$msg” does not
contain anything more than the “username”, thus resulting in the
missing role and UNAUTHORIZED message.
#### CTX('log')->auth()->debug(Dumper($msg));
2022/12/13 10:16:49 DEBUG $VAR1 = {
'username' => '[email protected]'
};
[pid=17194|sid=n+IJ]
#### CTX('log')->auth()->debug(Dumper($self));
2022/12/13 10:16:49 DEBUG $VAR1 = bless( {
'history' => {},
'prefix' => [
'auth',
'handler',
'ExternalAuth'
],
'authinfo' => {}
}, 'OpenXPKI::Server::Authentication::NoAuth' );
[pid=17194|sid=n+IJ]
Finally within the auth module, when trying to print the current env
variables, none of the apache environment are available, they look a
lot like regular shell environment instead. Is this expected ?
2022/12/13 10:16:49 DEBUG HOME => [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG INVOCATION_ID =>
833e09412cf74d23976f1a6327150e6d [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG JOURNAL_STREAM => 8:1042596 [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LANG => en_US.UTF-8 [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LANGUAGE => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LC_MESSAGES => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LC_TIME => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG PATH =>
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[pid=17194|sid=n+IJ]
I am trying to understand where these “envkeys” are processed in order
to troubleshoot why these variables are not being passed, and I cannot
find a reference to Stack/envkeys in the code, perhaps I’m looking at
it wrong.
Could you please let me know in which module are these environment
variables transferred from the apache2 env to the application ? How
can I go ahead and access these from within the auth stack to confirm ?
I’ll keep investigating as the mention of ‘envkeys’ only seem to
happen in Client/UI.pm Client/Simple.pm and Client/Service/Base.pm 😊
Thanks for your time and support !
Regards,
*Florian Cramoisan*
*PoC Engineer - WW**| **HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831**|**ACCX#1261**|**ACDX#1282 **| ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you are
not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete all
copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”./
*From: *Oliver Welter <[email protected]>
*Date: *Monday, 12 December 2022 at 08:51
*To: *[email protected]
<[email protected]>
*Subject: *Re: [OpenXPKI-users] Help required trying to pass role
information from SSO on OpenXPKI
Hello Florian,
welcome to the OpenXPKI Crowd ;)
Basically your approach looks correct, are you sure that your ENV
variable gets populated properly? Raise the loglevel of the "auth"
category to debug, that might show you a more detailed error message
indicating where the mapping fails.
Regarding the second part of the question - have a look into the
folder "realm.tl/profile/template/", in the field for "email" you can
see "preset: userinfo.email" - userinfo is a hash that is filled with
anything found in "envkeys".
best regards
Oliver
On 09.12.22 14:42, Cramoisan, Florian (Aruba PoC) wrote:
Hi List,
This is my first ever message out there so please excuse lack of
format !
I’m struggling to setup my SSO as source of authentication for
OpenXPKI.
The SSO part is handled by an apache plugin, and works fine. I am
able to check the claims and generate a “SSO_ROLE” environment
variable containing the intended role the user should get after
authentication.
Now my issue is trying to pass this information to the auth layer
so the user effectively gets that role.
I use NoAuth as per the examples:
_Stack:_
BasicAuth:
handler: ExternalAuth
type: client
envkeys:
email: OIDC_CLAIM_unique_name
_Handler_
ExternalAuth:
type: NoAuth
role: User
If I remove the “role” statement from the handler and add an
envkey “role” mapping to my Apache ENV variable, I get an auth error.
What is the “proper” way to
1. Pass the role to the auth layer
2. Store some extra information (such as email or Org Unit) to be
used later in certificate generation
Thanks & Regards,
*Florian Cramoisan*
*PoC Engineer - WW | HPE Aruba Global Solutions | PoC*
*ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475*
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble
| France
Image result for aruba logo
/This e-mail may contain confidential and/or legally privileged
material for the sole use of the intended recipient.//// If you
are not the intended recipient (or authorized to receive for the
recipient) please contact the sender by reply e-mail and delete
all copies of this message.//// If you are receiving this message
internally within the Hewlett Packard Enterprise company, you
should consider the contents “CONFIDENTIAL”./
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
