search

DeviceFarmer / stf

Control and manage Android devices from your browser.
https://devicefarmer.github.io
Other
3.52k stars 497 forks source link

Oauth2 issue with ADFS 4.0 #693

Open sn00wden opened 1 year ago

sn00wden commented 1 year ago

I'm using latest STF version. LDAP works fine, but we need oauth2. STF starts by system-d units.

Body of stf-auth@.service :

[Unit] Description=STF OAuth2 PartOf=stf.target After=docker.service Requires=docker.service

[Service] EnvironmentFile=/etc/environment TimeoutStartSec=0 Restart=always ExecStartPre=-/usr/bin/docker kill %p-%i ExecStartPre=-/usr/bin/docker rm %p-%i ExecStart=/usr/bin/docker run --rm \ --name %p-%i \ -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro \ --link rethinkdb-proxy-28015:rethinkdb \ -e "SECRET=YOUR_SESSION_SECRET_HERE" \ -e NODE_TLS_REJECT_UNAUTHORIZED=1 \ -e "OAUTH_AUTHORIZATION_URL=https://adfs.domain.com/adfs/oauth2/authorize" \ -e "OAUTH_TOKEN_URL=https://adfs.domain.com/adfs/oauth2/token" \ -e "OAUTH_USERINFO_URL=https://adfs.domain.com/adfs/userinfo" \ -e "OAUTH_CLIENT_ID=client_adfs" \ -e "OAUTH_CLIENT_SECRET=secret_adfs" \ -e "OAUTH_CALLBACK_URL=https://stf.domain.com/auth/oauth/callback" \ -e "OAUTH_SCOPE=openid email" \ -p %i:3000 \ devicefarmer/stf:latest \ stf auth-oauth2 --port 3000 \ --app-url https://stf.domain.com/ ExecStop=-/usr/bin/docker stop -t 10 %p-%i

In new incognito windows, I try https://stf.domain.com , then get authorize notification, select certificate, write pass, then I'm redirected to https://stf.domain.com/auth/oauth/callback?code=AAAAAAAAAAAAAAAAAAAAAA.*** with error:

InternalOAuthError: Failed to obtain access token
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:423:17)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)
    at ClientRequest.emit (node:events:527:28)
    at TLSSocket.socketErrorListener (node:_http_client:454:9)
    at TLSSocket.emit (node:events:527:28)
    at emitErrorNT (node:internal/streams/destroy:164:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

How can I solve this?

denis99999 commented 1 year ago

@cert-x your configuration seems correct althrough I am not sure your ca-certificates is required (i.e. try to drop it), perhaps your STF server (resource server) is not able to reach the ADFS server (OAuth server) during the token validation step due to a missing firewall rule, you should take a network trace to see exactly what is happened.

sn00wden commented 1 year ago

@denis99999 thank you. I'm able to reach adfs, then get authorize page, then receive token and get to the callback url page...with this error. If I do not use ca-sertificates, I get next err:

TokenError: MSIS9612: The authorization code received in 'code' parameter is invalid. 
    at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:373:12)
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:420:16)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:539:35)
    at endReadableNT (node:internal/streams/readable:1345:12)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

But googling gives nothing, causer we have 1 node ADFS and SQL Server

denis99999 commented 1 year ago

@cert-x it seems the code returned is invalid, you should request to ADFS support because it does not seem an issue from STF but between your resource server and the oAuth server (i.e. you should take a full network trace to identify that), sorry I am not able to help you anymore on that issue, what I can say is that it works well in my side using either oAuth 2.0 or SAML 2.0 protocols in front of my company Authentication servers.

sn00wden commented 1 year ago

@denis99999, hello! What names of claims should we get from ADFS?

denis99999 commented 1 year ago

@cert-x, I don't really understand your question, I don't know ADFS but what I understand is that ADFS is the authentication server that issued you an Oauth 2.0 partnership for ADFS, so if it does not work with STF, I suggest you contact the ADFS support team to verify your Oauth 2.0 partnership for ADFS and test it using a 3rd party baseline tool, I know some people use Postman for this!