search

arkime / arkime

Arkime is an open source, large scale, full packet capturing, indexing, and database system.
https://arkime.com
Apache License 2.0
6.38k stars 1.04k forks source link

OIDC authentication not working #3045

Closed CharlotteN7 closed 2 days ago

CharlotteN7 commented 2 days ago

Describe the bug We trying to configure OIDC authentication using latest Arkime version 5.5.1. But setting all setting ins the configuration - authClientId, authClientSecret, authDiscoverURL, authOIDCScope, authRedirectURIs, authUserIdField - we encountered error telling us that "s2s" strategy is unknown. It is strange 'cause we on only use "oidc" strategy, but s2s strategy is always add on line https://github.com/arkime/arkime/blob/38b82cb04733bf37acb200ae4366cbc1c8ff7146/common/auth.js#L237-L240

Error happens at: https://github.com/arkime/arkime/blob/38b82cb04733bf37acb200ae4366cbc1c8ff7146/common/auth.js#L776

And there is no any "custom" strategy such as "oidc"

I see that there is usage of OIDC.Strategy in some code, but i think passport.authenticate method cannot resolve "oidc" strategy https://github.com/arkime/arkime/blob/38b82cb04733bf37acb200ae4366cbc1c8ff7146/common/auth.js#L539-L546

If i comment adding "s2s" to #strategies, it will then print that "oidc" stragegy is unknown (second error below)

Is this is defiened behavior? I think there should be a passport.js package such as passport-openidconnect, and changing strategy name to "openidconnect" or custom oidc strategy needed to be integrated in passport middleware.

Error log below

Opensearch version: 2.13.0

Arkime/Moloch version: 5.5.1

OS name and version: AlmaLinux 8

How was Arkime/Moloch built/installed: (rpm, deb, easybutton, ...) rpm installed

Provide logs, stack traces and steps to reproduce: With out commenting: AUTH: passport.authenticate fail Error: Unknown authentication strategy "s2s" at attempt (/opt/arkime/node_modules/passport/lib/middleware/authenticate.js:193:39) at authenticate (/opt/arkime/node_modules/passport/lib/middleware/authenticate.js:379:7) at doAuth (/opt/arkime/common/auth.js:776:107) at Layer.handle [as handle_request] (/opt/arkime/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/opt/arkime/node_modules/express/lib/router/index.js:328:13) at /opt/arkime/node_modules/express/lib/router/index.js:286:9 at Function.process_params (/opt/arkime/node_modules/express/lib/router/index.js:346:12) at Immediate.next (/opt/arkime/node_modules/express/lib/router/index.js:280:10) at Immediate._onImmediate (/opt/arkime/node_modules/express/lib/router/index.js:646:15) at process.processImmediate (node:internal/timers:485:21) Fri, 29 Nov 2024 10:51:15 GMT - GET /login 403 27 bytes 85.941 ms With commenting: AUTH: passport.authenticate fail Error: Unknown authentication strategy "oidc" at attempt (/opt/arkime/node_modules/passport/lib/middleware/authenticate.js:193:39) at authenticate (/opt/arkime/node_modules/passport/lib/middleware/authenticate.js:379:7) at doAuth (/opt/arkime/common/auth.js:776:107) at Layer.handle [as handle_request] (/opt/arkime/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/opt/arkime/node_modules/express/lib/router/index.js:328:13) at /opt/arkime/node_modules/express/lib/router/index.js:286:9 at Function.process_params (/opt/arkime/node_modules/express/lib/router/index.js:346:12) at Immediate.next (/opt/arkime/node_modules/express/lib/router/index.js:280:10) at Immediate._onImmediate (/opt/arkime/node_modules/express/lib/router/index.js:646:15) at process.processImmediate (node:internal/timers:485:21) Fri, 29 Nov 2024 11:13:41 GMT - GET /login 403 27 bytes 86.075 ms

awick commented 2 days ago

Unfortunately it works fine for me, did you make any other changes to the code or config? My config looks like

[default]
debug=2
authMode=oidc
authDiscoverURL=https://XXXX
authClientId=XXXX
authClientSecret=XXXX
authUserIdField=email
authRedirectURIs=https://XXXX:4443/auth/login/callback

Is this is defiened behavior?

yes s2s is required for viewer

I think there should be a passport.js package such as passport-openidconnect, and changing strategy name to "openidconnect" or custom oidc strategy needed to be integrated in passport middleware.

Are you saying the passport-openidconnect strategy is better than the openid-client version? I haven't had any issues. passport.use('oidc', new OIDC.Strategy({ sets up the passport piece

CharlotteN7 commented 2 days ago

By fully removing node_modules and reinstalling the arkime package - problem is solved. I think there is some problem with removing old node versions, or node modules by upgrading using new rpms