Open barbj opened 3 weeks ago
I was able to successfully reach the protected servlet after doing a few updates:
@OpenIdAuthenticationMechanismDefinition
updates:
useSession = false
claimsDefinition = @ClaimsDefinition(callerNameClaim = "sub")
preferred_username
claim to use as the caller name. Neither the access token, ID token, or UserInfo data included this claim, so we have to tell the annotation to look at a claim that is in one of those places.signatureAlgorithm="RS256"
to <openidConnectProvider>
@OpenIdAuthenticationMechanismDefinition
should be able to work just fine with HS256, but for whatever reason it isn't. It's possible we have a bug here; this is another thing for me to investigate a bit more.jwkEnabled="true"
to <openidConnectProvider>
<security-role name="all">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
"all"
role and limits access just to users in that role. At the moment the application-bnd definition in the RP only maps all authenticated users to the "OIDCUser"
role, so you'd get a 403 trying to access the servlet because the user isn't mapped to the "all"
role.I provide that update just to point out the things I did within the customer's control to get things working. As I mention there, I still need to investigate why I had to add useSession = false
to the @OpenIdAuthenticationMechanismDefinition
annotation and why there's a mismatch between looking in cookies or looking in the session for cached data.
Describe the bug
Using the annotation
OpenIdAuthenticationMechanismDefinition
is documented here: https://openliberty.io/docs/latest/enable-openid-connect-client.htmlAn app is developed including:
This is emitted for the request:
The Liberty doc describes that:
If you want to use a callback servlet, you do have to implement it and include it in an application deployed to the Liberty server.
With your app and config, I was able to get past any issues with the redirect URI simply by adding https://localhost:9444/simple/Callback to the client configuration in the OP server:
However I get stuck in a loop going to the scope consent page; the OP asks if oidcclient can access the openid scope. When I click one of the allow buttons, it seems the login flow starts anew, with the browser being redirected to the RP’s callback servlet, but then redirected back to the OP’s authorization endpoint to log in. I’m already logged in, so I get the consent page all over again.
Looks like that’s happening because somehow when this line is invoked in the callback servlet:
The
context
object ends up trying to look for the original request URL in a cookie, even though the OIDC client originally stored the value in the HTTP session. Since the context can’t find the value, it can’t complete its processing correctly. If I explicitly setuseSession = false
in the
@OpenIdAuthenticationMechanismDefinition
I can get a little further. But then I get problems validating the JWT signature because the OP is signing the tokens using HS256 by default but the client expects RS256.Diagnostic information:
Original
server.xml
file:Implemented callback: