International-Data-Spaces-Association / omejdn-daps

Open Source implementation of the Dynamic Attribute Provisioning Service based on http://github.com/Fraunhofer-AISEC/omejdn-server
Apache License 2.0
6 stars 10 forks source link

Authorization for the administrative API at /api/v1/config #34

Open janniswarnat opened 1 year ago

janniswarnat commented 1 year ago

The Problem

My Setup

Docker containers as defined in compose.yml using omejdn server image version ghcr.io/fraunhofer-aisec/omejdn-server:dev

What I have done up front

I would like to retrieve an access token to access the administrative API as already discussed in #30. This works as explained by @bellebaum for the Postman Authorization tab (just for info: This only works when using the dev image, for version 1.7.1 and older I get error message No scopes granted). Additionally, I want to be able to retrieve the access token not via user login but using the client credentials grant. Here is my client definition for this (probably some of the fields are unnecessary):

- client_id: 27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74:keyid:27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74
  client_name: postman_client_cred
  client_secret: change_me
  grant_types: client_credentials
  token_endpoint_auth_method: client_secret_post
  scope:
  - omejdn:admin
  - idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
  attributes:
  - key: omejdn
    value: admin
  - key: idsc
    value: IDS_CONNECTOR_ATTRIBUTES_ALL
  - key: securityProfile
    value: idsc:BASE_SECURITY_PROFILE
  - key: referringConnector
    value: http://postman_client_cred.demo
  - key: "@type"
    value: ids:DatPayload
  - key: "@context"
    value: https://w3id.org/idsa/contexts/context.jsonld
  - key: transportCertsSha256
    value: cba9619f9595ea0d6eb5f5bb49499dfc367637c5fbd0779c7464ddd01db84869

What I expected to happen

I want to retrieve an access token using this request:

curl http://localhost/auth/token --data "grant_type=client_credentials&client_id=27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74:keyid:27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74&client_secret=change_me&scope=omejdn:admin"

What actually happened

I get an Internal server error, the stack trace shows:

daps-omejdn-server-1  | 2023-06-22 10:09:13 +0000 Unexpected error while processing request: undefined method `compact!' for nil:NilClass
daps-omejdn-server-1  |         /opt/lib/keys.rb:58:in `adapt_to_cert'
daps-omejdn-server-1  |         /opt/lib/keys.rb:69:in `ensure_usability'
daps-omejdn-server-1  |         /opt/lib/keys.rb:162:in `block in load_keys'
daps-omejdn-server-1  |         /opt/lib/keys.rb:144:in `map'
daps-omejdn-server-1  |         /opt/lib/keys.rb:144:in `load_keys'
daps-omejdn-server-1  |         /opt/lib/keys.rb:170:in `load_target_keys'
daps-omejdn-server-1  |         /opt/lib/plugins.rb:43:in `call'
daps-omejdn-server-1  |         /opt/lib/plugins.rb:43:in `block in fire'
[...]

The quest of trying to solve it

What were the results of searching for the error on the internet?

The compact method fails because usages is nil. The method adapt_to_cert tries to retrieve usages from certificate

-----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIULjyMNT6fEkF0fzkpx4dv687sYkMwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzA2MjAxMTMzMDBaFw0zMzA2 MTcxMTMzMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDi9LvWLiohfIbuCb4JMZSbOc7xVobHksLgQxAPZUzl g3VK4AoNeCTcemoT+1K+nAnF8mfsMTXddxS+2wthgXa6QyBJmSa7n9meZHbwk7b8 plhOc+UU42UXnXexQ4VxveInL9Om4kNLlApF2oRNLkZ3ABqi9X3ZjfLaTqSufCEX v0l5f2IqUd/wq4DvUD2V+rpasVneHbxHmEQKsnqs5krKuF+i1L9v1KXyFO0RwssF xXMavn7X4YCVVLTdyIaO7pVyxsj6j6pfR2ZOiTG5AMSOTMUBR/3Kro1YVXl4MyYO SAlYta+tNQnQzaxmj/wN1Mb3ju67SeSEPf2r5ucgqSI9AgMBAAGjUzBRMB0GA1Ud DgQWBBQnSIBYag26fVNXICyvKuTx+CMydDAfBgNVHSMEGDAWgBQnSIBYag26fVNX ICyvKuTx+CMydDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC8 DP6oTPtXTy92a4JAFsm8rOduQTPSMvfCtZYpXXNt7f183TV4M0iABoV9lYMa9Ett 72taawy681ZeARrzEzQCQ7kgBboWN3BVYCNnqhVESJPqYglvOo97k52vtH0GaPNO CY0RxQH8hLVGdnJw7VDgWe970CWv8VRYmZOJbnESgrnl2AEhZ2o7H9RGm3mTxpXI ZsBh3Yj8RU4ur+BGqTsmgUUM1ODSx9bziAykfr/ZxRmTlwRJb5BERuOBIvSBFVtz x/9UPjrjnvYgNi2TpRn+L9ML9BGBERhbf/XnWz9RTheo/PKzszAn6vrmBybdRnEJ oPblhloOO1Z7huAnkAEc -----END CERTIFICATE----- 

which is the certifcate of client postman_client_cred.

Important info: I tried to do the same using Docker image version 1.7.1 instead of dev and in this case my request successfully provides an access token that I then can use to access the administrative API:

curl http://localhost/auth/token --data "grant_type=client_credentials&client_id=27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74:keyid:27:48:80:58:6A:0D:BA:7D:53:57:20:2C:AF:2A:E4:F1:F8:23:32:74&client_secret=change_me&scope=omejdn:admin"

{"access_token":"eyJ0eXAiOiJhdCtqd3QiLCJraWQiOiJmNjc3MjQ4YzFjMGEwYmE3MGZiN2ZkMzI5YTBhYjUyMTM5NGVkZTRhNzc4MTk1MDUxMjA0ODhiOGYxNGFlNWVmIiwiYWxnIjoiUlMyNTYifQ.eyJzY29wZSI6Im9tZWpkbjphZG1pbiIsImF1ZCI6WyJpZHNjOklEU19DT05ORUNUT1JTX0FMTCIsImh0dHA6Ly9sb2NhbGhvc3QvYXV0aC9hcGkiXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdC9hdXRoIiwic3ViIjoiMjc6NDg6ODA6NTg6NkE6MEQ6QkE6N0Q6NTM6NTc6MjA6MkM6QUY6MkE6RTQ6RjE6Rjg6MjM6MzI6NzQ6a2V5aWQ6Mjc6NDg6ODA6NTg6NkE6MEQ6QkE6N0Q6NTM6NTc6MjA6MkM6QUY6MkE6RTQ6RjE6Rjg6MjM6MzI6NzQiLCJuYmYiOjE2ODc0MjkwNzUsImlhdCI6MTY4NzQyOTA3NSwianRpIjoiOGZmMGJjNTgtNmY1MC00NGZkLWE5ZWEtMDBkYzhiM2JjOWM3IiwiZXhwIjoxNjg3NDMyNjc1LCJjbGllbnRfaWQiOiIyNzo0ODo4MDo1ODo2QTowRDpCQTo3RDo1Mzo1NzoyMDoyQzpBRjoyQTpFNDpGMTpGODoyMzozMjo3NDprZXlpZDoyNzo0ODo4MDo1ODo2QTowRDpCQTo3RDo1Mzo1NzoyMDoyQzpBRjoyQTpFNDpGMTpGODoyMzozMjo3NCJ9.PPWrYFK4OoXow-EvFXTEanL7OaYBFIk6R2SjNmJBTq9XlREUQKiRkPKxV5pn8eAbghgbNKaF4XotizWIvl8AScAb8IHR5FNIyzafRJCoTcJr8PYj_tKASr0Ts_p2HCEl6o9Tfwp6zTECQV94x-pC7gPDZ9HobLV9EQstklf3XcBpXzk6UYIGSXVX5ASS10i6AGUkrL3wlPzJ8jtohkfcos1hgaFeDS0wQ2XXFPb81duqWJyVrQF5CF3ckN8G-MBBQb3XOE6b2MR29lBqd5qDwqpWOcqOGerwpc28dgZ3BjMZ_j4hixg8IXluJsGVnri5O7KJCaIaMiScAajeOIvbBQ","expires_in":3600,"token_type":"bearer","scope":"omejdn:admin"}

What is your best guess as to what might have happened?

I think this may be related to commit 93aa166842fbbeafdd740a9ece98e5431363e941 and subsequent changes. I do not quite understand what the method adapt_to_cert is supposed to do though. It would be great if you could provide any hints or advice.

@AnaCarolinaChaves Were you succesful in using the administrative API after #30, maybe also using the client credentials grant instead of authorization code?

Thank you very much in advance!

AnaCarolinaChaves commented 1 year ago

Hello, sorry for the late reply.

I can still use the administrative API with docker image 1.7.1 and use the authorization code grant type.

I also tried to use your example and use the client credentials grant with Postman and was successful (using version 1.7.1). However, I needed to add the line redirect_uris: https://getpostman.com/oauth2/callback on the Postman client (file clients.yml).