Closed davidhcar closed 4 months ago
Looks like I need to use either OpenID (OAUTH2 /authorize) or SAML ?
You have the following options depending on AD type:
Most of the configuration, you should do on WebAPI side. See the documentation: https://github.com/OHDSI/WebAPI/wiki/Security-Configuration#webapi-security-configuration
Thank you @konstjar. The URL of authProviders should be the same as API <security.oid.url>
Is that correct ? and Could this url in Atlas UI be empty? as this is coming from api
configLocal.userAuthenticationEnabled = true;
configLocal.authProviders = [
{
"name": "OpenID",
"url": "user/login/ad",
"ajax": true,
"icon": "fa fa-cubes",
"isUseCredentialsForm": false
}];
Realized the url on the client side does not change. I got through the authentication flow working, however the UI is still not recognizing the token and still throws 401 for WebAPI/user/me endpoint. So the sign in link remain same and no other features can be accessed throughout the app that requires successful authentication.
Appreciate an insight into this. Thank you in advance!
ERROR http-nio-8080-exec-3 org.ohdsi.webapi.shiro.filters.ExceptionHandlerFilter - [] - Error during filtering
javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery
This is the error seen in the log
As I see from your ATLAS configuration, the url is incorrect. In case of OpenID, you should use "user/login/openid".
configLocal.authProviders = [
{
"name": "OpenID",
"url": "user/login/openid",
"ajax": true,
"icon": "fa fa-cubes",
"isUseCredentialsForm": false
}];
Thank you @konstjar .It is OpenId in the url I am using, that was a typo in the comment. The AAD authentication flow is working, however the session is not established that is the error I posted in the previous post.
Here is the headers on the /WebAPI/user/me call from UI
GET /WebAPI/user/me HTTP/1.1
Host: {APIHostname}
Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"
Accept: */*
Action-Location: https://{UiHostname}/atlas/#/home/OidcClient/{token issued from Azure OpenID Auth flow}/%2Fhome
Sec-Ch-Ua-Mobile: ?0
Authorization: null
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: {UiHostname}
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {UiHostname}/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
@davidhcar I think this issue is resolved based on reading OHDSI/WebAPI#2268 so I'm closing this out. If this is not correct, please re-open and let me know. Thanks!
Is it possible to use Azure based Active Directory Solution ? The closest configuration I see is this,
However, the configurations for AAD need more than the URL parameter, see below configurations(https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa#configure-the-javascript-spa)
Could someone please provide guidance on configuration to use Atlas using Azure Active Directory. If there is a sample code, That would be great! Also, How to configure WebAPI to align with AAD based accesses.