search

International-Data-Spaces-Association / omejdn-daps

Open Source implementation of the Dynamic Attribute Provisioning Service based on http://github.com/Fraunhofer-AISEC/omejdn-server
Apache License 2.0
7 stars 10 forks source link

Client Unknown #25

Closed AnaCarolinaChaves closed 2 years ago

AnaCarolinaChaves commented 2 years ago

The Problem

When running the 'script/test.sh CERT_NAME' everything works fine.

Then, the certificate is sent to the connector machine (another machine) and the necessary files are configured. When running 'docker-compose up' the next error is thrown:

ERROR - PRODUCTIVE_DEPLOYMENT: No IDS-Message sent! No DAT could be acquired from DAPS! [code=(IMSCOE0001), reason=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=http://<MACHINE_NAME>:4567/auth/token} Body: {"error":"invalid_client","error_description":"Client unknown"})]
2022-06-02T12:19:58,987 [https-jsse-nio-8080-exec-4] WARN - Connection to DAPS could not be established. [exception=(Error connecting to DAPS (possibly currently not reachable or wrong DAPS-URL): Unexpected code Response{protocol=http/1.1, code=400, message=Bad Request, url=http://<MACHINE_NAME>:4567/auth/token} Body: {"error":"invalid_client","error_description":"Client unknown"})]
2022-06-02T12:19:58,987 [https-jsse-nio-8080-exec-4] WARN - Failed to build ids message. [exception=(The dat may not be null.)]
2022-06-02T12:19:58,991 [https-jsse-nio-8080-exec-4] ERROR - An unhandled exception has been caught. [exception=(Failed to build ids message.)]

My Setup

I have two virtual machines. The DAPS is in one and the connectors in another. The connectors are running with TLS.

What I have done up front

My connectors environment variables for the DAPS are:

 - 'DAPS_URL=http://<MACHINE_NAME>:4567'
 - 'DAPS_TOKEN_URL=http://<MACHINE_NAME>:4567/auth/token'
- 'DAPS_KEY_URL=http://<MACHINE_NAME>:4567/auth/jwks.json'
 - 'DAPS_INCOMING_DAT_DEFAULT_WELLKNOWN=/jwks.json'
bellebaum commented 2 years ago

Thanks for your issue. Omejdn seems to have trouble authenticating your client. Can you give me the output of docker-compose logs <omejdn's service> for diagnosis please?

AnaCarolinaChaves commented 2 years ago

The output of the daps_omejdn-server container output is:

68.16.4 - - [02/Jun/2022:12:57:03 +0000] "GET /.well-known/oauth-authorization-server HTTP/1.1" 200 5427 0.0221
192.168.16.4 - - [02/Jun/2022:12:57:03 +0000] "POST /token HTTP/1.1" 200 1592 0.0176
192.168.16.4 - - [02/Jun/2022:13:01:33 +0000] "POST /token HTTP/1.1" 400 63 0.0766
192.168.16.4 - - [02/Jun/2022:13:01:36 +0000] "POST /token HTTP/1.1" 400 63 0.0039
192.168.16.4 - - [02/Jun/2022:13:01:53 +0000] "POST /token HTTP/1.1" 400 63 0.0075
192.168.16.4 - - [02/Jun/2022:13:01:55 +0000] "POST /token HTTP/1.1" 400 63 0.0041
bellebaum commented 2 years ago

Omejdn seems unable to find the connector. How did you configure your clients in Omejdn? What does config/clients.yml say? Have you mounted that file into the docker container?

AnaCarolinaChaves commented 2 years ago

I already tried to configure the clients in two different ways. The one I'm using right now was by running the script/register_client.sh conn_producer.

My '''config/clients.yml''' is:

---
- client_id: adminUI
  client_name: Omejdn Admin UI
  client_uri: http://localhost
  logo_uri: http://localhost/assets/img/fhg.jpg
  grant_types: authorization_code
  software_id: Omejdn Admin UI
  software_version: 0.0.0
  token_endpoint_auth_method: none
  redirect_uris: http://localhost
  post_logout_redirect_uris: http://localhost
  scope:
  - openid
  - omejdn:admin
  - omejdn:write
  - omejdn:read
  attributes: []
- client_id: C7:07:05:0B:E1:6A:27:60:4C:B9:77:80:67:5E:1E:21:02:6E:B9:62:keyid:C7:07:05:0B:E1:6A:27:60:4C:B9:77:80:67:5E:1E:21:02:6E:B9:62
  client_name: conn_producer2
  grant_types: client_credentials
  token_endpoint_auth_method: private_key_jwt
  scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
  attributes:
  - key: idsc
    value: IDS_CONNECTOR_ATTRIBUTES_ALL
  - key: securityProfile
    value: idsc:BASE_SECURITY_PROFILE
  - key: referringConnector
    value: http://conn_producer2.demo
  - key: "@type"
    value: ids:DatPayload
  - key: "@context"
    value: https://w3id.org/idsa/contexts/context.jsonld
  - key: transportCertsSha256
    value: 83e759fe21299923913cf33f9e6917cc14dd2e3fffe111c5ae3cda78469906b8
- client_id: C9:36:74:B1:8F:7D:76:C2:4A:5A:24:03:36:0C:43:7B:36:83:8C:D2:keyid:C9:36:74:B1:8F:7D:76:C2:4A:5A:24:03:36:0C:43:7B:36:83:8C:D2
  client_name: prod
  grant_types: client_credentials
  token_endpoint_auth_method: private_key_jwt
  scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
  attributes:
  - key: idsc
    value: IDS_CONNECTOR_ATTRIBUTES_ALL
  - key: securityProfile
    value: idsc:BASE_SECURITY_PROFILE
  - key: referringConnector
    value: http://prod.demo
  - key: "@type"
    value: ids:DatPayload
  - key: "@context"
    value: https://w3id.org/idsa/contexts/context.jsonld
  - key: transportCertsSha256
    value: 5ec789f76f6e8deb6bb2c9eeb7c950b3df5344dbba56be1053c430dfcbdf5ce2

The docker compose is:

version: '3.5'
services:

  nginx:
    image: nginx:latest
    restart: unless-stopped
    ports:
      - 4567:80
      - 4431:443
    environment:
      - OMEJDN_DOMAIN=${OMEJDN_DOMAIN}
      - OMEJDN_PATH=${OMEJDN_PATH}
      - UI_PATH=${UI_PATH}
    volumes:
      - ./nginx.${OMEJDN_ENVIRONMENT}.conf:/etc/nginx/templates/default.conf.template
      - ./${TLS_CERT}:/etc/nginx/daps.cert
      - ./${TLS_KEY}:/etc/nginx/daps.key

  omejdn-server:
    image: ghcr.io/fraunhofer-aisec/omejdn-server:${OMEJDN_VERSION}
    restart: unless-stopped
    environment:
      - OMEJDN_ISSUER=${OMEJDN_ISSUER}
      - OMEJDN_FRONT_URL=${OMEJDN_ISSUER}
      - OMEJDN_OPENID=true
      - OMEJDN_ENVIRONMENT=${OMEJDN_ENVIRONMENT}
      - OMEJDN_ACCEPT_AUDIENCE=idsc:IDS_CONNECTORS_ALL
      - OMEJDN_DEFAULT_AUDIENCE=idsc:IDS_CONNECTORS_ALL
      - OMEJDN_ADMIN=${ADMIN_USERNAME}:${ADMIN_PASSWORD}
    volumes:
      - ./config:/opt/config
      - ./keys:/opt/keys

  omejdn-ui:
    image: ghcr.io/fraunhofer-aisec/omejdn-ui:${UI_VERSION}
    restart: unless-stopped
    environment:
      - OIDC_ISSUER=${OMEJDN_ISSUER}
      - API_URL=${OMEJDN_ISSUER}/api/v1
      - CLIENT_ID=adminUI
bellebaum commented 2 years ago

Those files seem fine.Which Connector implementation are you using? Do you have some way of capturing the request which is sent by the connector? E.g. Wireshark might help with this.

For diagnosis: Omejdn seems to run into an issue here, which means that the two possible reasons for this error are

AnaCarolinaChaves commented 2 years ago

I'm using a Dataspace Connector. Right now I don't have a way of capturing the request, but I can install Wireshark, for example.

AnaCarolinaChaves commented 2 years ago

So, just to check the setup:

  1. Start the DAPS server with docker compose

  2. scripts/register_connector.sh conn_producer2

  3. Create a .p12 file from the files generated by the script

  4. Copy .p12 file to the connector config directory

  5. Connector-docker compose:

    'server.ssl.key-store=file:///tmp/conf/conn_producer2.p12'
'server.ssl.key-store-password=<PASSWORD>'
- 'DAPS_URL=http://<MACHINE_NAME>:4567'
'DAPS_TOKEN_URL=http://<MACHINE_NAME>:4567/auth/token'
'DAPS_KEY_URL=http://<MACHINE_NAME>:4567/auth/jwks.json'
'DAPS_INCOMING_DAT_DEFAULT_WELLKNOWN=/jwks.json'
- 'server.ssl.enabled=true'

  6. Connector config:

    "ids:keyStore" : {
"@id" : "file:///tmp/conf/conn_producer2.p12"
}

  7. Start connector containers

bellebaum commented 2 years ago

I have recreated the steps 1 - 2 and run the scripts/test.sh script, which executed without error as you mentioned in your Issue.

All that test-script does is reading in the key and certificate, figuring out the token endpoint (/auth/token) and sending out a request just as a connector would. Hence, this is no problem with Omejdn or its configuration. But there are a few things to watch out for:

If you are using the production setup (which you do not seem to, since you are not using TLS on port 4567), contacting the DAPS via plain HTTP will redirect the request to HTTPS, which may destroy the request payload since that is only partially allowed for POST-Requests. Again, this should not be the problem in your case.

I am not familiar with the connector. Maybe there is a problem there.

In any case, network traffic should be useful

AnaCarolinaChaves commented 2 years ago

I'm using the DAPS on development setup. The connector I'm using in production setup.

AnaCarolinaChaves commented 2 years ago

The problem was with the connectors. I was able to fix it. Thank you.