OpenID Session not established at Atlas UI with Azure AD

OHDSI / WebAPI

OHDSI WebAPI contains all OHDSI services that can be called from OHDSI applications

Apache License 2.0

130 stars 169 forks source link

OpenID Session not established at Atlas UI with Azure AD #2268

Closed davidhcar closed 1 year ago

davidhcar commented 1 year ago

Expected behavior

Atlas UI to establish session

Actual behavior

No session established in UI, and the console says /WebAPI/user/me is 401. This error is identical to this closed issue https://github.com/OHDSI/WebAPI/issues/1711, I also tried the workaround mentioned in this issue, even though at this point with 2.13.0 that work around is unnecessary.

Steps to reproduce behavior

By Implementing OpenId with Azure AD

Reference the issue here for errors, https://github.com/OHDSI/Atlas/issues/2855

konstjar commented 1 year ago

Can you please list the pom.xml variables that you configured for OpenId without tokens/keys? We have number of instances working fine without any issues. It looks like configuration issue.

davidhcar commented 1 year ago

Sure, Here is the configurations,

security.provider=AtlasRegularSecurity
security.cors.enabled=true
security.token.expiration=43200
security.origin=*
security.ssl.enabled=false 
security.oid.clientId=xxxxx
security.oid.apiSecret=xxxxx
security.oid.url=https://login.microsoftonline.com/xxxxx/v2.0/.well-known/openid-configuration
security.oid.redirectUrl=https://xxx.xxx.xxx/atlas/#/home
security.oauth.callback.api=https://xxx.xxx.xxx/WebAPI/user/oauth/callback
security.oauth.callback.ui=https://xxx.xxx.xxx/atlas/#/home
security.oauth.callback.urlResolver=path
security.oauth.callback.urlResolver=https://xxx.xxx.xxx/atlas/#/home  Tested with /null as well

konstjar commented 1 year ago

I just checked to see a difference. We use the following values:

security.oid.redirectUrl=https://<dns_name>/index.html#/welcome/
security.oid.extraScopes=profile email
security.oauth.callback.api=https://<dns_name>/WebAPI/user/oauth/callback?client_name=OidcClient
security.oauth.callback.ui=https://<dns_name>/#/welcome

and we do not set security.oauth.callback.urlResolver option (default value is used)

Also you need to verify that Azure sends email address in the response.

davidhcar commented 1 year ago

@konstjar Thank you, The #welcome and index.html in the URL made difference, The session is getting established with name. Is security.oid.extraScopes=profile email not a default value ? Wondering if this should be specified in the config.

I wanted to see if there is a way to directly redirect to the login page without the Model window that has button to login via "OpenAI", the model window helps when the app is configured to use multiple Providers. Is that possible to avoid the model with one Provider ?

chrisknoll commented 1 year ago

I think it makes sense that if only one auth provider is available, the modal should bypass and the single auth method invoked.

But, this should be addressed in a separate issue/PR.

RowanErasmus commented 1 year ago

@davidhcar @chrisknoll
We are using Azure AD for authentication in Atlas (and many other places) and are also interested in making more effective use of single sign on. I've made a pr #https://github.com/OHDSI/Atlas/pull/2861 that will automatically sign in users who already have a session with the auth provider.

RowanErasmus commented 1 year ago

I'm closing this issue. Initial question seems to have been resolved and the new feature request that followed has been implemented here https://github.com/OHDSI/Atlas/pull/2861