Add OpenID Proxy configuration capability

tialocRT commented 1 year ago

Prerequisites

[x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
[x] I went through old GitHub issues and couldn't find anything relevant
[x] I googled the issue and didn't find anything relevant

Description

Can't use the OpenID login with a proxy

I tried to setup the authentication with OpenID instead of LocalStrategy, my OpenCTI return me no errors in logs but I can see Firewall deny logs for the IP of my OpenID provider and no logs on my proxy, so my OpenCTI is bypassing my proxy settings only for OpenID. I don't want to open this flow directly on the FW without passing by my proxy.

Proxy settings has been set with HTTP_PROXXY HTTPS_PROXY and no_proxy for the OpenCTI core processes. My connectors can crawl datas and their flows pass by the proxy.

Does Someone has set successfully the OpenID login with a proxy ? Is it an already know issue ?

Environment

Docker (on linux host with proxy settings done)
OpenCTI version: 5.7.4
OpenCTI client: /
Other environment details:

Reproducible Steps

Using docker-compose file with this config:

PROVIDERSOPENIDSTRATEGY=OpenIDConnectStrategy
"PROVIDERSOPENIDCONFIG__LABEL=Login with OpenID"
PROVIDERSOPENIDCONFIG__ISSUER=https:///auth/realms/xxxx
PROVIDERSOPENIDCONFIG__CLIENT_ID=
PROVIDERSOPENIDCONFIG__CLIENT_SECRET=
"PROVIDERSOPENIDCONFIG__REDIRECT_URIS=[\"https://opencti./auth/oic/callback\"]"

I read on this node-openid issue (https://github.com/panva/node-openid-client/issues/22) that the proxy settings for panva-node-openid has to be set inside the code, I don't know if it the case for OpenCTI I can't find the related code inside my container to check it.

Thanks by advance

richard-julien commented 1 year ago

I dont think its possible for now. We start to introduce proxy for more stuff but I think we miss this one. Tagging it a feature request

simonbjorzen-ts commented 8 months ago

Any progress on this? Would be nice to have.

richard-julien commented 8 months ago

Difficult to test so try the approach to use an agent with an option

const openIdClient = config.use_proxy ? getPlatformHttpProxyAgent(config.issuer) : undefined;

simonbjorzen-ts commented 8 months ago

Awesome, thanks!

simonbjorzen-ts commented 2 months ago

@richard-julien Thanks for fixing this, however there is a minor issue. Setting a http proxy using IP address like http://172.16.0.1:3128 works fine, but using a dns record like http://proxy.domain.tld:3128 results in the following error.

{"category":"APP","errors":[{"attributes":{"genre":"BUSINESS","http_status":500,"provider":"oic"},"message":"Error initializing authentication provider","name":"UNSUPPORTED_ERROR","stack":"UNSUPPORTED_ERROR: Error initializing authentication provider\n    at error (/opt/opencti/build/src/config/errors.js:8:10)\n    at UnsupportedError (/opt/opencti/build/src/config/errors.js:89:51)\n    at /opt/opencti/build/src/config/providers.js:386:24\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)"},{"message":"getaddrinfo ENOTFOUND proxy.redacted.tld","name":"Error","stack":"Error: getaddrinfo ENOTFOUND proxy.redacted.tld\n    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)"}],"level":"error","message":"Error initializing authentication provider","source":"backend","timestamp":"2024-08-19T09:36:13.195Z","version":"6.2.12"}

It works for now, but we'd like to use the dns record instead. Thanks.

richard-julien commented 1 month ago

The DNS resolution is not something that the platform is doing. Please check that your pod is able to resolve this DNS name.

OpenCTI-Platform / opencti