Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for OIDC scopes #357

Merged
merged 5 commits into from
Jul 11, 2024
Merged

Support for OIDC scopes #357

merged 5 commits into from
Jul 11, 2024

Conversation

afabiani
Copy link
Member

@afabiani afabiani commented Jul 2, 2024
edited by offtherailz
Loading

…configuration

(cherry picked from commit 59b7b63)

Fix geosolutions-it/MapStore2#10151

@afabiani afabiani requested a review from offtherailz July 2, 2024 14:38
@afabiani afabiani self-assigned this Jul 2, 2024
@afabiani afabiani mentioned this pull request Jul 2, 2024
Merged
offtherailz
offtherailz requested changes Jul 9, 2024
View reviewed changes
Copy link
Member

@offtherailz offtherailz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can not test.

  • If I do not set scopes, it rises an exception (see inline comment)
  • If I set scopes, oidcOAuth2Config.scopes=openid,profile,groups, I have a No access token found on callback request. without any additional logging.

Scope should be optional, and when we have errors, we should have a proper logging to be able to identify the problem and possibly be able to fix the configuration issues, without the needing to inspect the code everytime.
This issue without any logging happened a lot of times, and findi out the reason is extremely expensive in terms of time and resources,

...pl/src/main/java/it/geosolutions/geostore/services/rest/security/oauth2/DiscoveryClient.java Outdated

// Get existing scopes from conf and split into a Set
Set<String> mergedScopes = new HashSet<>();
mergedScopes.addAll(Arrays.asList(conf.getScopes().split(",")));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a NullPointerException when I do not set scopes.

	... 30 more
Caused by: java.lang.NullPointerException
	at it.geosolutions.geostore.services.rest.security.oauth2.DiscoveryClient.lambda$autofill$6(DiscoveryClient.java:114) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at java.util.Optional.ifPresent(Optional.java:183) ~[?:?]
	at it.geosolutions.geostore.services.rest.security.oauth2.DiscoveryClient.autofill(DiscoveryClient.java:107) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectFilter.<init>(OpenIdConnectFilter.java:71) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration.oidcOpenIdFilter(OpenIdConnectSecurityConfiguration.java:145) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration$$EnhancerBySpringCGLIB$$9ded83d5.CGLIB$oidcOpenIdFilter$3(<generated>) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration$$EnhancerBySpringCGLIB$$9ded83d5$$FastClassBySpringCGLIB$$e4b2836b.invoke(<generated>) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.18.jar:5.3.18]
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.18.jar:5.3.18]
	at it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration$$EnhancerBySpringCGLIB$$9ded83d5.oidcOpenIdFilter(<generated>) ~[geostore-rest-impl-2.2-SNAPSHOT.jar:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

@afabiani
Copy link
Member Author

afabiani commented Jul 9, 2024

@offtherailz NPE fix pushed, for the second statement, rise the log level to DEBUG or check the Keycloack service log.

@offtherailz offtherailz added this to the 2024.02.00 milestone Jul 9, 2024
@tdipisa tdipisa changed the title - Making sure we do not overwrite existing scopes explicitly set by … Making sure we do not overwrite existing scopes explicitly set by … Jul 9, 2024
@offtherailz offtherailz changed the title Making sure we do not overwrite existing scopes explicitly set by … Support for OIDC groups mapping Jul 9, 2024
@offtherailz offtherailz self-requested a review July 9, 2024 16:06
offtherailz
offtherailz requested changes Jul 9, 2024
View reviewed changes
Copy link
Member

@offtherailz offtherailz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Logging for callback error (and errorDescription) in /callback endpoint
  • Support for groupMappings, rolesMappings and `dropUnmapped' as for keycloak

@offtherailz offtherailz mentioned this pull request Jul 9, 2024
Merged
12 tasks
@offtherailz offtherailz changed the title Support for OIDC groups mapping Support for OIDC scopes Jul 11, 2024
@offtherailz offtherailz self-requested a review July 11, 2024 15:20
@offtherailz offtherailz merged commit 64fe0d1 into master Jul 11, 2024
2 checks passed
@tdipisa tdipisa linked an issue Jul 12, 2024 that may be closed by this pull request
OIDC provider support geosolutions-it/MapStore2#10056
Closed
@tdipisa tdipisa mentioned this pull request Jul 12, 2024
Closed
@tdipisa tdipisa removed a link to an issue Jul 12, 2024
OIDC provider support geosolutions-it/MapStore2#10056
Closed
@afabiani afabiani deleted the oidc_scopes_patch branch October 9, 2024 07:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@offtherailz offtherailz offtherailz approved these changes

Assignees

@afabiani afabiani

Labels
C206-DEUTSCHE_BAHN-2024-SUPPORT
Projects
None yet
Milestone
2024.02.00
Development

Successfully merging this pull request may close these issues.

OpenID generic provider support
2 participants
@afabiani @offtherailz