search

center-for-threat-informed-defense / attack-workbench-rest-api

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API service for storing, querying, and editing ATT&CK objects.
https://ctid.mitre-engenuity.org/
Apache License 2.0
42 stars 22 forks source link

Keycloak OIDC integration #352

Open cr0nx opened 3 months ago

cr0nx commented 3 months ago

Hi Team, I am working on the Keycloak OIDC Integration + ATT&CK Workbench Frontend/RestAPI. Unfortunately, I still get "401 Unauthorized" after Keyclock redirects back to the application after authentication. The testing flow:

  1. I open the Workbench webpage and click on the Login button. I also see the "Register" button.
  2. It redirects to the Keycloak login page. I enter valid credentials.
  3. It redirects back to the workbench webpage with 401 Unauthorized.

Here is my setup / some listings attached:

[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose.yml version: "3.9" services: frontend: container_name: attack-workbench-frontend image: front-xxx build: . depends_on:

volumes: db-data:

[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose-resources/rest-api/rest-api-service-config.json { "serviceAuthn": { "oidcClientCredentials": { "enable": true, "clients": [ { "clientId": "workbench", "serviceRole": "collection-manager" } ] } } }

[root@vps15 attack-workbench-frontend-2.1.0]# docker compose up .... attack-workbench-rest-api | 2024-08-14T10:05:15.447Z [INFO] ATT&CK Workbench REST API app starting attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Configuring the app attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Starting express attack-workbench-rest-api | 2024-08-14T10:05:15.872Z [INFO] CORS is not enabled attack-workbench-rest-api | 2024-08-14T10:05:15.907Z [INFO] Enabling HTTP request logging attack-workbench-rest-api | 2024-08-14T10:05:15.913Z [INFO] Enabling Swagger UI attack-workbench-rest-api | 2024-08-14T10:05:16.638Z [INFO] Configuring static routes attack-workbench-rest-api | 2024-08-14T10:05:17.683Z [INFO] Configured authentication mechanism: oidc attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configured authentication mechanism: bearer attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: client credentials attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: challenge apikey attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configuring REST API routes attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the scheduler attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the HTTP server... attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] Listening at http://:::3000 attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] ATT&CK Workbench REST API start up complete

Keycloak realm has been created with support for OpenID. The Client has been created with Standard Authentication flow. Client authentication is on. Some users like admin@test.com have been added to the Keycloak.

I even modified the scripts/configureKeycloak.js for adding local users to the workbench database => I thought it would lead me to some clue => no luck.

What am I missing? Do you have any idea? Any little hint will be appreciated. Thanks!

Anthem-whisper commented 2 weeks ago

hi, did you solve it? i meet the same problem

niveK77pur commented 2 weeks ago

Encountering same problem

ElJocko commented 2 weeks ago

Keycloak changed their implementation at some point. The change breaks the OIDC interoperability with the ATT&CK Workbench REST API. We have a fix for this in testing right now.