search

NUWCDIVNPT / stig-manager

An API and client for managing STIG assessments
Other
120 stars 28 forks source link

Receive "Ext.Ajax.request() failed" when attempting to sign-in to a fresh installation of STIG Manager #1268

Closed SuperSaiyanMagenta closed 7 months ago

SuperSaiyanMagenta commented 7 months ago

Is there an existing issue for this?

Are you using the latest version of STIG Manager?

Where are you experiencing the issue?

Current Behavior

I'm currently attempting to stand-up a STIG Manager instance for my organization to utilize in conjunction with EvaluateSTIG.

=== CONFIGURATION ===

Expected Behavior

No response

Steps To Reproduce

-- I can go to the STIG-Manager URL which then redirects me to Keycloak for authentication.
-- I use an admin account to sign in and am redirected back to STIG-Manager. -- I then receive 'Ext.Ajax.request() failed' under the green shield STIG Manager logo.

Can you provide screenshots, logs, or other useful artifacts?

Describe your Environment

- Hosting: on-prem
- Browser: Firefox/Chrome
- OS: Windows 10
- Node:
- npm:
SuperSaiyanMagenta commented 7 months ago

Please le me know if there is anything else you need to help resolve this issue. Thanks again!

SuperSaiyanMagenta commented 7 months ago

Here are my logs, docker-compose, Dockerfile for Keycloak, and Nginx conf: kc-dockerfile.txt sm-nginx-conf.txt STIG.Manager.docker-compose.txt stigman-logs.txt

cd-rite commented 7 months ago

Hi @SuperSaiyanMagenta I think it might be related to this error from Keycloak in your logs: keycloak-1 | 2024-04-29 15:41:55,747 WARN [org.keycloak.services] (executor-thread-1) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request. I think this is somewhat new behavior for Keycloak.

You can have the client request this scope by setting the STIGMan envvar STIGMAN_CLIENT_EXTRA_SCOPES to include "openid"

Let us know if that resolves the issue!

SuperSaiyanMagenta commented 7 months ago

Thanks for the assistance with this issue!

I've added STIGMAN_CLIENT_EXTRA_SCOPES="openid" to my docker compose file under stigManager's ENV settings.

When I access STIG-Manager now, I just see a spinning circle and the logo for STIG Manager, but no redirect to Keycloak for authentication. I've attached my logs. stigman-logs(updated).txt

Is there a nominal version of Keycloak that I should use with STIG-Manager?

cd-rite commented 7 months ago

Hmmm... Can you try removing the quotes from around openid? If that doesn't work, are you able to open Devtools in chrome, to see if you are getting any errors in your browser? We should be compatible with all the later versions of keycloak ( at least 19+).

SuperSaiyanMagenta commented 7 months ago

I removed the quotes around openid as requested. Now I am redirected to keycloak for authentication. Once I authenticate via Keycloak, I'm back to the original error. I've attached updated log trace as well as a screenshot from chrome dev tools. Thanks again for the assist.

stigman-logs(30APR2024-1238).txt stigman-chrome-console-ajax-error

cd-rite commented 7 months ago

Hi @SuperSaiyanMagenta It looks like your Keycloak implementation is not providing the requested scopes in the access token. The instructions in the docs are just one way to configure this, but are written for an older version of Keycloak. However, the same configurations should be available in whichever version you use, just organized slightly differently. We have a keycloak 23 container you could spin up and log in to as admin for comparison (it's just doing username/pw, but the scopes should be assigned similarly): https://github.com/NUWCDIVNPT/stig-manager-auth admin password for this container here: https://hub.docker.com/r/nuwcdivnpt/stig-manager-auth

You'll need to add the scopes from the docs to the stig-manager client you create in keycloak, and ensure they are added to the token when token requests come from that client. There should be a screen that looks something like this: image showing which scopes the keycloak client configuration will accept.

StevenMcGann commented 7 months ago

I'm struggling with the same or similar issue. Pretty sure my scopes are set like you have for stig-manager-auth. I used that realm export to set up my configuration. I'm still troubleshooting though.

fyi I added "openid" to extra scopes and it didn't change that issue.

UPDATE: I'm not seeing that error today. I still have the "openid" in the extra scopes config.

cd-rite commented 7 months ago

@StevenMcGann Hmm, perhaps you were reusing a session created before you made other changes? Then, when you logged in today, it created a new session with the confguration changes you made? Either way, glad it's working now!

@SuperSaiyanMagenta If you're still having trouble, I'd cross-check with our sample container to check for relevant differences, and the keycloak docs.... From your logs, you are producing access tokens that do not have the proper scopes included. There are several ways to get them in there, depending on your other config settings, and the keycloak docs may help there.

Your token from logs:

{
    "exp": 1714498772,
    "iat": 1714498472,
    "auth_time": 1714498472,
    "jti": "f2519d0e-39d8-4e52-85b8-1d7dba012ca0",
    "iss": "https://stigs.domain.local/realms/stigman",
    "aud": "account",
    "sub": "e424d8c9-2832-4e9d-aca1-1c006241aef7",
    "typ": "Bearer",
    "azp": "stig-manager",
    "nonce": "a08765c4-0ec2-45e2-968c-79053fdcd519",
    "session_state": "be764962-679a-4099-a1a7-3b85afd21916",
    "acr": "1",
    "allowed-origins": [
      "/*"
    ],
    "realm_access": {
      "roles": [
        "offline_access",
        "create_collection",
        "admin",
        "default-roles-stigman",
        "uma_authorization",
        "user"
      ]
    },
    "resource_access": {
      "account": {
        "roles": [
          "manage-account",
          "manage-account-links",
          "view-profile"
        ]
      }
    },
----> "scope": "openid profile email",
    "sid": "be764962-679a-4099-a1a7-3b85afd21916",
    "email_verified": true,
    "name": "Stig Admin",
    "preferred_username": "stigadmin",
    "given_name": "Stig",
    "family_name": "Admin",
    "email": "stigadmin@domain.local"
        }

Token with proper scopes (the app is only looking for the "stig-manager" ones):

  "iat": 1714579854,
  "auth_time": 1714579853,
  "jti": "a34c802a-6da4-4f58-9e4f-9a0be8beecbe",
  "iss": "http://localhost:8080/realms/stigman",
  "aud": [
    "realm-management",
    "account"
  ],
  "sub": "bf87a16f-39e6-46d9-8971-f0ef51dd3f85",
  "typ": "Bearer",
  "azp": "stig-manager",
  "nonce": "61908713-a100-4b38-a863-4d9c195719cf",
  "session_state": "b5b07095-d594-4030-98de-2d75bb6773df",
  "realm_access": {
    "roles": [
      "create_collection",
      "default-roles-stigman",
      "admin",
      "user"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "view-users",
        "query-groups",
        "query-users"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
---->  "scope": "openid stig-manager:collection stig-manager:user:read stig-manager:op stig-manager:user stig-manager stig-manager:stig",
  "sid": "b5b07095-d594-4030-98de-2d75bb6773df",
  "clientId": "admin",
  "name": "Admin Burke",
  "preferred_username": "admin",
  "given_name": "Admin",
  "family_name": "Burke",
  "client_id": "admin"
}
SuperSaiyanMagenta commented 7 months ago

Copy that. I've been able to resolve this issue by just exporting the realm from the sample container and importing it into my production Keycloak v24 container. Once I did that, I was able to access STIG Manager. Thanks again for the support! We are really looking forward to utilizing this product in our environment! :)

cd-rite commented 7 months ago

@SuperSaiyanMagenta Great, I'll close this issue then! Just make sure you remove those sample users, etc. before you deploy to production!