[SATOSA-oidcop] basic auth on token endpoint does not work

[melanger]

I am trying to use the new OIDC frontend for SATOSA (pip install satosa_oidcop). When calling the token endpoint for exchanging an authorization code for an access token, using basic auth, it fails here:

https://github.com/IdentityPython/oidc-op/blob/754385f4db6348a2ed4472e9b10bfb47c20c9bee/src/oidcop/client_authn.py#L108

This line throws an exception, because self.server_get("endpoint_context").cdb is empty ({}). I found out that the frontend did not use mongodb storage at all with this config:

storage:
    class: "satosa.frontends.oidcop.storage.mongo.Mongodb"
    kwargs:
      url: "mongodb://host1,host2,host3/?authSource=satosa&replicaSet=production&tls=true&tlsCAFile=/usr/share/ca-certificates/extra/chain.crt&tlsCertificateKeyFile=/opt/certificate_and_key.pem"
      connection_params:
        username: "user"
        password: "pass"
    db_name: "satosa"
    collections:
      session: session
      client: client

I had to change it to this:

storage:
    class: "satosa_oidcop.core.storage.mongo.Mongodb"
    kwargs:
      url: "mongodb://host1,host2,host3/?authSource=satosa&replicaSet=production&tls=true&tlsCAFile=/usr/share/ca-certificates/extra/chain.crt&tlsCertificateKeyFile=/opt/certificate_and_key.pem"
      connection_params:
        username: "user"
        password: "pass"
    db_name: "satosa"
    collections:
      session: session
      client: client
op:
    server_info:
      client_db:
        class: "satosa_oidcop.core.storage.mongo.Mongodb"
        kwargs:
          storage_conf:
            db_name: "satosa"
            collections:
              session: session
              client: client
          url: "mongodb://host1,host2,host3/?authSource=satosa&replicaSet=production&tls=true&tlsCAFile=/usr/share/ca-certificates/extra/chain.crt&tlsCertificateKeyFile=/opt/certificate_and_key.pem"
          connection_params:
            username: "user"
            password: "pass"

Now it gets past the basic auth, it logs

https://github.com/IdentityPython/oidc-op/blob/a87177e7a5d0b40dcff11ed75b39a72bd2d3f015/src/oidcop/oauth2/authorization.py#L797

but then fails with:

{'error': 'server_error', 'error_description': "'dict' object is not callable", 'state': '...'}

which might be thrown from here:

https://github.com/IdentityPython/oidc-op/blob/a87177e7a5d0b40dcff11ed75b39a72bd2d3f015/src/oidcop/oauth2/authorization.py#L840

[peppelinux]

Hi @melanger This issues is due to the breaking changes in oidcop from v2.1.1 to v2.2.0 configuration related to scope/claims definitions.

See this working example if it helps https://github.com/italia/Satosa-Saml2Spid/blob/master/example/plugins/frontends/oidc_op_frontend.yaml

this is the diff https://github.com/italia/Satosa-Saml2Spid/commit/6e0c3b52dd87dbc7522f8237be1e62187c6606aa#diff-eee12cb55b3974de3ee724381ed9e28a5ed6c66d6c9412f781cbaf52e4a47210

@mdrew and me faced the same issues when upgrated to oidcop-2.2.0, let us know

feel free to open issues on this repository, you're welcome https://github.com/UniversitaDellaCalabria/SATOSA-oidcop

[peppelinux]

fixed here (thank you @melanger ): https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/issues/1

@rohe @nsklikas I have to check if there's something to improve in oidcop or just in my frontend

[melanger]

I was able to make it work, so there is probably no issue with oidc-op.

[peppelinux]

thank you @melanger probably I'll take another week to have this check in satosa-oidcop by my side

this exception MUST be handled in a proper way with a comprensible message in the logs of the frontend