search

OHDSI / WebAPI

OHDSI WebAPI contains all OHDSI services that can be called from OHDSI applications
Apache License 2.0
130 stars 169 forks source link

OpenIDC connection does not grant Permissions in Atlas #2391

Open shorrocka opened 2 months ago

shorrocka commented 2 months ago

Expected behavior

We have connected Atlas with Auth0 using OpenIDC and can successfully login after passing our credentials thru Auth0 before being redirected to Atlas with our login information appearing. We should then be able to access anything we have been given permission to based on database roles.

Actual behavior

We have no access to anything regardless of the roles in the database, my user is set to have Admin rights but cannot access anything with the system. user_id | login | role_id | role_name ---------+--------------------+---------+-------------------- 1000 | shorrocka@chop.edu | 1002 | shorrocka@chop.edu 1000 | shorrocka@chop.edu | 1 | public 1000 | shorrocka@chop.edu | 2 | admin 1000 | shorrocka@chop.edu | 10 | Atlas users Screenshot 2024-09-10 at 1 29 22 PM

Steps to reproduce behavior

We setup security with the following settings:

<security.provider>AtlasRegularSecurity</security.provider>
      <security.auth.openid.enabled>true</security.auth.openid.enabled>
      <security.oid.clientId>[Redacted]</security.oid.clientId>
      <security.oid.apiSecret>[Redacted]</security.oid.apiSecret>
      <security.oid.url>[Redacted]/.well-known/openid-configuration</security.oid.url>
      <security.oid.redirectUrl>[Redacted]/Atlas/#/welcome</security.oid.redirectUrl>
      <security.oid.extraScopes>email</security.oid.extraScopes>
      <security.oauth.callback.api>[Redacted]/WebAPI/user/oauth/callback</security.oauth.callback.api>
      <security.oauth.callback.ui>[Redacted]/Atlas/#/welcome</security.oauth.callback.ui>

We then can see the login information coming from the log with debug set for shiro:

2024-09-10 17:23:08.775 DEBUG http-nio-8080-exec-1 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.834 DEBUG http-nio-8080-exec-5 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.837 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.960 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:11.393 DEBUG http-nio-8080-exec-3 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:26.023 DEBUG http-nio-8080-exec-6 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:26.679 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JwtAuthRealm@6697968] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.679 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|[Redacted] | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/email=shorrocka@chop.edu, amr=["mfa"], id_token=[Redacted], iss=https://[Redacted].us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, email=shorrocka@chop.edu} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |] from doGetAuthenticationInfo
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|66abb1ce64e17c3ebbc4b2a8 | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/email=shorrocka@chop.edu, amr=["mfa"], id_token=[Redacted], iss=https://[Redacted].us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, email=shorrocka@chop.edu} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |].  Submitted token: [io.buji.pac4j.token.Pac4jToken@29dfedb7].
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.Integer and accountCredentials of type [java.lang.Integer]
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [io.buji.pac4j.token.Pac4jToken@29dfedb7].  Returned account [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|66abb1ce64e17c3ebbc4b2a8 | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/email=shorrocka@chop.edu, amr=["mfa"], id_token=[Redacted], iss=https:/[Redacted]us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, email=shorrocka@chop.edu} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |]
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.mgt.DefaultSecurityManager - [] - Context already contains a session.  Returning.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:26 GMT; SameSite=lax]
2024-09-10 17:23:26.682 DEBUG http-nio-8080-exec-6 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:26.742 DEBUG http-nio-8080-exec-7 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:30.982 DEBUG http-nio-8080-exec-10 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.035 DEBUG http-nio-8080-exec-1 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.059 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.060 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [shorrocka@chop.edu] from doGetAuthenticationInfo
2024-09-10 17:23:31.060 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [shorrocka@chop.edu].  Submitted token: [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e].
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.String and accountCredentials of type [java.lang.String]
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [io.buji.pac4j.realm.Pac4jRealm@7702a004] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e].  Returned account [shorrocka@chop.edu]
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:31 GMT; SameSite=lax]
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthorizingRealm - [] - No authorizationCache instance set.  Checking for a cacheManager...
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthorizingRealm - [] - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
2024-09-10 17:23:31.334 DEBUG http-nio-8080-exec-5 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:33.634 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:33.638 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [shorrocka@chop.edu] from doGetAuthenticationInfo
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [shorrocka@chop.edu].  Submitted token: [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25].
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.String and accountCredentials of type [java.lang.String]
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [io.buji.pac4j.realm.Pac4jRealm@7702a004] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25].  Returned account [shorrocka@chop.edu]
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:33 GMT; SameSite=lax]
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthorizingRealm - [] - No authorizationCache instance set.  Checking for a cacheManager...
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthorizingRealm - [] - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
2024-09-10 17:23:35.042 DEBUG http-nio-8080-exec-3 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.

Is there something I am missing or is this a bug and we need to route to a different auth mechanism. Please let me know if there is something else that can be provided to support.

konstjar commented 2 weeks ago

Even though you configured the authentication, ATLAS/WebAPI will not grant the role automatically. In order to grant your user with admin permissions, please follow this section in documentation: https://github.com/OHDSI/WebAPI/wiki/Atlas-Security#defining-an-administrator