search

ForgeRock / openam-authentication

Wordpress plugin to authenticate using OpenAM
16 stars 11 forks source link

Authenticates via OpenAM but does not log into WordPress #4

Closed johnarends closed 8 years ago

johnarends commented 8 years ago

I'm able to successfully authenticate with OpenAM after installing this plugin, but I then get stuck at the WordPress logon screen.

Local accounts in the WordPress system do not work.

Our OpenAM implementation does not have a value included for mail, just uid, so I suspect this might be why things are not behaving.

I tried pre-creating an account with the proper username and email address, but the plugin is probably unable to link to it because it is trying to match both uid and mail.

I'm assuming it is also unable to create a new account since wordpress requires an email address.

Documentation is pretty sparse at the moment. I'm willing to contribute if I can get this working.

marius-g commented 8 years ago

Aha, the plugin expects the mail value.

However looks like WordPress it self will accept accounts without an e-mail address: http://wordpress.stackexchange.com/questions/22754/user-without-email

So it should be able to get that going with some additional work. If you turn on the debug option the log file should help you find where it stops moving.

Note: We have a substantial upgrade of the plugin (like working SSO) in this pull request: https://github.com/ForgeRock/openam-authentication/pull/3

johnarends commented 8 years ago

This is what I'm seeing (sanitized)

openam_auth: TOKENID:AQIC5wM2LY4SfcxpraRX1Vd0iPwpyAb4AU5aDwuzvwUKd1o.*AAJTSQACMDUAAlNLABM3NTM2MzQ0Mjc0NzQ4OTI2MzIwAAJTMQACMDE.*
isSessionValid: Legacy Mode Enabled
isSessionValid: isValid Response: Array
(
    [headers] => Array
        (
            [server] => Apache-Coyote/1.1
            [cache-control] => no-store, no-cache, must-revalidate, max-age=0
            [pragma] => no-cache
            [set-cookie] => amlbcookie=02; Domain=.somewhere.edu; Path=/
            [content-type] => application/json;charset=UTF-8
            [content-length] => 16
            [date] => Mon, 11 Jan 2016 19:57:18 GMT
            [connection] => close
        )

    [body] => {"boolean":true}
    [response] => Array
        (
            [code] => 200
            [message] => OK
        )

    [cookies] => Array
        (
            [0] => WP_Http_Cookie Object
                (
                    [name] => amlbcookie
                    [value] => 02
                    [expires] => 
                    [path] => /
                    [domain] => .somewhere.edu
                )

        )

    [filename] => 
)

openam_auth: Authentication was succesful
getAttributesFromOpenAM: LEGACY ENABLED
getAttributesFromLegacyOpenAM: Attributes URL: https://websso-stage.somewhere.edu:443/amserver/identity/json/attributes?subjectid=AQIC5wM2LY4SfcxpraRX1Vd0iPwpyAb4AU5aDwuzvwUKd1o.*AAJTSQACMDUAAlNLABM3NTM2MzQ0Mjc0NzQ4OTI2MzIwAAJTMQACMDE.*&attributenames=uid&attributenames=mail
getAttributesFromLegacyOpenAM: RAW ATTRS RESPONSE: Array
(
    [headers] => Array
        (
            [server] => Apache-Coyote/1.1
            [cache-control] => no-store, no-cache, must-revalidate, max-age=0
            [pragma] => no-cache
            [set-cookie] => amlbcookie=02; Domain=.somewhere.edu; Path=/
            [content-type] => application/json;charset=UTF-8
            [content-length] => 115
            [date] => Mon, 11 Jan 2016 19:57:18 GMT
            [connection] => close
        )

    [body] => {"exception":{"message":"Identity jdoe123 of type user not found.","name":"com.sun.identity.idsvcs.GeneralFailure"}}
    [response] => Array
        (
            [code] => 500
            [message] => Internal Server Error
        )

    [cookies] => Array
        (
            [0] => WP_Http_Cookie Object
                (
                    [name] => amlbcookie
                    [value] => 02
                    [expires] => 
                    [path] => /
                    [domain] => .somewhere.edu
                )

        )

    [filename] => 
)

getAttributesFromLegacyOpenAM: ATTRIBUTES RESPONSE: Array
(
    [exception] => Array
        (
            [message] => Identity jdoe123 of type user not found.
            [name] => com.sun.identity.idsvcs.GeneralFailure
        )

)

openam_auth: UID: 
openam_auth: MAIL: 
loadUser: user object: 
loadUser: WP_User loaded: WP_User Object
(
    [data] => WP_Error Object
        (
            [errors] => Array
                (
                    [empty_user_login] => Array
                        (
                            [0] => Cannot create a user with an empty login name.
                        )

                )

            [error_data] => Array
                (
                )

        )

    [ID] => 0
    [caps] => Array
        (
        )

    [cap_key] => wp_capabilities
    [roles] => Array
        (
        )

    [allcaps] => Array
        (
        )

    [filter] => 
)

openam_auth: TOKENID:AQIC5wM2LY4SfcxpraRX1Vd0iPwpyAb4AU5aDwuzvwUKd1o.*AAJTSQACMDUAAlNLABM3NTM2MzQ0Mjc0NzQ4OTI2MzIwAAJTMQACMDE.*
isSessionValid: Legacy Mode Enabled
isSessionValid: isValid Response: Array
(
    [headers] => Array
        (
            [server] => Apache-Coyote/1.1
            [cache-control] => no-store, no-cache, must-revalidate, max-age=0
            [pragma] => no-cache
            [set-cookie] => amlbcookie=02; Domain=.somewhere.edu; Path=/
            [content-type] => application/json;charset=UTF-8
            [content-length] => 16
            [date] => Mon, 11 Jan 2016 19:57:18 GMT
            [connection] => close
        )

    [body] => {"boolean":true}
    [response] => Array
        (
            [code] => 200
            [message] => OK
        )

    [cookies] => Array
        (
            [0] => WP_Http_Cookie Object
                (
                    [name] => amlbcookie
                    [value] => 02
                    [expires] => 
                    [path] => /
                    [domain] => .somewhere.edu
                )

        )

    [filename] => 
)

openam_auth: Authentication was succesful
getAttributesFromOpenAM: LEGACY ENABLED
getAttributesFromLegacyOpenAM: Attributes URL: https://websso-stage.somewhere.edu:443/amserver/identity/json/attributes?subjectid=AQIC5wM2LY4SfcxpraRX1Vd0iPwpyAb4AU5aDwuzvwUKd1o.*AAJTSQACMDUAAlNLABM3NTM2MzQ0Mjc0NzQ4OTI2MzIwAAJTMQACMDE.*&attributenames=uid&attributenames=mail
getAttributesFromLegacyOpenAM: RAW ATTRS RESPONSE: Array
(
    [headers] => Array
        (
            [server] => Apache-Coyote/1.1
            [cache-control] => no-store, no-cache, must-revalidate, max-age=0
            [pragma] => no-cache
            [set-cookie] => amlbcookie=02; Domain=.somewhere.edu; Path=/
            [content-type] => application/json;charset=UTF-8
            [content-length] => 115
            [date] => Mon, 11 Jan 2016 19:57:18 GMT
            [connection] => close
        )

    [body] => {"exception":{"message":"Identity jdoe123 of type user not found.","name":"com.sun.identity.idsvcs.GeneralFailure"}}
    [response] => Array
        (
            [code] => 500
            [message] => Internal Server Error
        )

    [cookies] => Array
        (
            [0] => WP_Http_Cookie Object
                (
                    [name] => amlbcookie
                    [value] => 02
                    [expires] => 
                    [path] => /
                    [domain] => .somewhere.edu
                )

        )

    [filename] => 
)

getAttributesFromLegacyOpenAM: ATTRIBUTES RESPONSE: Array
(
    [exception] => Array
        (
            [message] => Identity jdoe123 of type user not found.
            [name] => com.sun.identity.idsvcs.GeneralFailure
        )

)

openam_auth: UID: 
openam_auth: MAIL: 
loadUser: user object: 
loadUser: WP_User loaded: WP_User Object
(
    [data] => WP_Error Object
        (
            [errors] => Array
                (
                    [empty_user_login] => Array
                        (
                            [0] => Cannot create a user with an empty login name.
                        )

                )

            [error_data] => Array
                (
                )

        )

    [ID] => 0
    [caps] => Array
        (
        )

    [cap_key] => wp_capabilities
    [roles] => Array
        (
        )

    [allcaps] => Array
        (
        )

    [filter] => 
)
marius-g commented 8 years ago

Indeed, without the mail attribute the plugin will fail in a few places.

The getAttributesFromLegacyOpenAM: Attributes URL ends with "&attributenames=uid&attributenames=mail" Might be why it fails. (I'm no OpenAM expert btw)

forgerock1 commented 8 years ago

Try to remove all the references to mail then and try it out. If wordpress accepts the creation of users without mail, then it should work. OpenAM does not need the attribute mail to be populated either.