Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

OIDC: login succeeds, but FE does not show user as loggged in #529

Open
bpedersen2 opened this issue Nov 22, 2021 · 3 comments
Open

OIDC: login succeeds, but FE does not show user as loggged in #529

bpedersen2 opened this issue Nov 22, 2021 · 3 comments

Comments

@bpedersen2
Copy link

I am trying to set up scicat for use at MLZ with OIDC login enabled.

I get correctly redirected to the success URL, but I am still shown as not logged in in the FE.
Debugging shows that the user and authInfo entries seem to be populated correctly.
The login callback gets called returns success.

Any hints what is still missing here?

Best Björn

providers.json:

  "MLZ": {
        "provider": "oidc",
        "authScheme": "openid connect",
        "module": "passport-openidconnect",
        "authPath": "/auth/mlz",
        "successRedirect": "/",
        "failureRedirect": "/login",
        "failureFlash": true,
        "session": true,
        "issuer": "http://<host>/auth/realms/MLZ",
        "authorizationURL":"http://<host>/auth/realms/MLZ/protocol/openid-connect/auth",
        "tokenURL": "http://<host>//auth/realms/MLZ/protocol/openid-connect/token",
        "userInfoURL": "http://<host>//auth/realms/MLZ/protocol/openid-connect/userinfo",
        "clientID": "scicat",
        "clientSecret": "<redacted>",
        "callbackURL": "http://<scicathost>/auth/mlz/callback",
        "callbackPath":"/auth/mlz/callback",
        "loginCallback": "mlzLoginCallback",
        "scope": ["email", "profile", "openid"]


  return function(err, user, identity, token) {

    const logger = require("../../common/logger");
    const request = require("request");

    console.dir(user);
    console.dir(token);
    var authInfo = {
      identity: identity,
    };
    if (token) {
      authInfo.accessToken = token;
    }
    console.dir(identity);

    let pinfo = identity.profile._json;
    authInfo.identity.profile.accessGroups = pinfo.realm_access.roles;
    authInfo.identity.profile.username = pinfo.preferred_username;
    authInfo.identity.profile.emails = [ { value: pinfo.email}  ];
    console.dir(authInfo);
    done(err, user, authInfo);
return;
}

catanie: environment.js

...
oAuth2Endpoints: [{displayText: "MLZ", authURL:"auth/mlz"}],
 loginFormEnabled: true
...

                                                                                                                         49,1          76%
@bpedersen2
Copy link
Author

tracebacks:

catanie_1                    | 192.168.96.2 - - [22/Nov/2021:11:34:58 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "<ip>"
catamel_1                    | Unhandled error for request GET /api/v3/Users/__anonymous__: Error: Authorization Required
catamel_1                    |     at /home/node/app/node_modules/loopback/lib/application.js:433:23
catamel_1                    |     at /home/node/app/node_modules/loopback/lib/model.js:359:7
catamel_1                    |     at /home/node/app/node_modules/loopback/common/models/acl.js:536:16
catamel_1                    |     at /home/node/app/node_modules/async/dist/async.js:3888:9
catamel_1                    |     at /home/node/app/node_modules/async/dist/async.js:473:16
catamel_1                    |     at iteratorCallback (/home/node/app/node_modules/async/dist/async.js:1064:13)
catamel_1                    |     at /home/node/app/node_modules/async/dist/async.js:969:16
catamel_1                    |     at /home/node/app/node_modules/async/dist/async.js:3885:13
catamel_1                    |     at /home/node/app/node_modules/loopback/common/models/acl.js:518:17
catamel_1                    |     at /home/node/app/node_modules/loopback/common/models/role.js:246:9
catamel_1                    |     at processTicksAndRejections (internal/process/task_queues.js:77:11)

@dylanmcreynolds
Copy link
Contributor

@bpedersen2 sorry for the delay, I just saw this.

It's been a long time, so I don't recall the exact reason, but the settings in providers.json that work for me are public URLs into catanie/frontend. So, something like:

        "successRedirect": "https://cataniserver/",
        "failureRedirect": "https://cataniserver/login",

I think this is because the code running this code and redirecting is actually the catamel/backend server, so '/` is interpreted relative to it.

@bpedersen2
Copy link
Author

I did some further debugging, and it seems like the pasport-openid lib has evoled faster than the integration in loopback-passport-component. The usage of the callback arguments there did not match. Needs further investigation...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bpedersen2 @dylanmcreynolds