search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.34k stars 156 forks source link

OpenId connect configuration with on-prem PingFederate throws 5xx without any errors in logs #242

Closed marcispauls closed 10 months ago

marcispauls commented 10 months ago

Steps to reproduce the behavior:

  1. Create new Identity provider OpendId connect
  2. Create integration on PingFederate side
  3. Try to login with the new provider
  4. it goes back and forth with Ping until Vectr needs to get token, then in logs we can see 5xx and no debug information in logs.

Version: ce-8.8.1

Logs:

==> vectr_audit-2023-08-22-08-2.log <==
10.216.13.109 VECTR [2023-08-22T09:07:34.134+0000] - "GET" - /auth/api/v1/settings - 401
10.216.13.109 VECTR [2023-08-22T09:07:34.276+0000] - "GET" - /auth/api/v1/profile - 401

==> vectr_audit.log <==
10.216.13.109 VECTR [2023-08-22T09:07:33.863+0000] - "POST" GoldStandard /sra-purpletools-rest/phases/query?databaseName=GoldStandard db:read 401
10.216.13.109 VECTR [2023-08-22T09:07:33.864+0000] - "POST" GoldStandard /sra-purpletools-rest/phases/query?databaseName=GoldStandard db:read 401
10.216.13.109 VECTR [2023-08-22T09:07:33.865+0000] - "POST" GoldStandard /sra-purpletools-rest/phases/query?databaseName=GoldStandard db:read 401

==> localhost_access_log.2023-08-22.txt <==
100.124.11.86 - - [22/Aug/2023:09:07:32 +0000] "GET / HTTP/1.1" 302 -
100.124.11.86 - - [22/Aug/2023:09:07:32 +0000] "GET /sra-purpletools-webui/app HTTP/1.1" 302 -
100.124.11.86 - - [22/Aug/2023:09:07:32 +0000] "GET /sra-purpletools-webui/app/ HTTP/1.1" 200 17455
127.0.0.1 - - [22/Aug/2023:09:07:33 +0000] "POST /auth/api/v1/pdp HTTP/1.1" 401 5
127.0.0.1 - - [22/Aug/2023:09:07:33 +0000] "POST /auth/api/v1/pdp HTTP/1.1" 401 5
127.0.0.1 - - [22/Aug/2023:09:07:33 +0000] "POST /auth/api/v1/pdp HTTP/1.1" 401 5
100.124.11.86 - - [22/Aug/2023:09:07:33 +0000] "POST /sra-purpletools-rest/phases/query?databaseName=GoldStandard HTTP/1.1" 401 -
100.124.11.86 - - [22/Aug/2023:09:07:33 +0000] "POST /sra-purpletools-rest/phases/query?databaseName=GoldStandard HTTP/1.1" 401 -
100.124.11.86 - - [22/Aug/2023:09:07:33 +0000] "POST /sra-purpletools-rest/phases/query?databaseName=GoldStandard HTTP/1.1" 401 -
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /static/features.json HTTP/1.1" 304 -
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/api/v1/settings HTTP/1.1" 401 5
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "POST /auth/api/v1/refresh_token HTTP/1.1" 401 48
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/api/v1/profile HTTP/1.1" 401 5
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/logout HTTP/1.1" 302 5
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/login HTTP/1.1" 200 2436
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/login HTTP/1.1" 200 2436
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/static/images/logo-color.svg HTTP/1.1" 200 6884
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/static/js/auth.js HTTP/1.1" 200 1288
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/static/css/login.css?v=8.8.1 HTTP/1.1" 200 8008
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/static/images/vectr-logo-black.svg HTTP/1.1" 200 2317
100.124.11.86 - - [22/Aug/2023:09:07:34 +0000] "GET /auth/static/images/default-idp-icons/office.svg HTTP/1.1" 200 2799
100.124.11.86 - - [22/Aug/2023:09:07:49 +0000] "GET /auth/connect/<redacted> HTTP/1.1" 302 5
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/login/callback?code=<redacted>&state=3fd7e0ee2f HTTP/1.1" 500 1146
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/static/images/vectr-logo.svg HTTP/1.1" 200 3644
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/static/css/login.css?v=8.8.1 HTTP/1.1" 200 8008
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/static/images/loading-sprite-bg.jpg HTTP/1.1" 200 924619
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/static/fonts/roboto/Roboto-Medium.woff2 HTTP/1.1" 200 64324
100.124.11.86 - - [22/Aug/2023:09:07:50 +0000] "GET /auth/static/fonts/roboto/Roboto-Medium.woff2 HTTP/1.1" 200 64324
SRAPSpencer commented 10 months ago

FYI we consider SSO generally out of bounds for community issues.

https://github.com/SecurityRiskAdvisors/VECTR/issues/146

I may have some time to look at this, Can you post the container logs for the tomcat container? Those usually are better for troubleshooting.

https://docs.docker.com/engine/reference/commandline/logs/

marcispauls commented 10 months ago

Ahh, didnt see that it has logs to stdout not to the files, figured out - idp sends wrong auth type as ES256 but its actually HS256 is it possible with params to change the alg that it uses only that and dont trust idp?

SRAPSpencer commented 10 months ago

It's not possible to configure individual algorithms in community edition in that manner. Your "Well Known" IDP configuration as part of OIDC Discovery should be specifying the auth types.

https://openid.net/specs/openid-connect-discovery-1_0.html

https://docs.vectr.io/sso/providers/openid-connect/

marcispauls commented 10 months ago

ok, clear, tnx for support and hints. will deal with our idp team