An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API service for storing, querying, and editing ATT&CK objects.
Hi Team,
I am working on the Keycloak OIDC Integration + ATT&CK Workbench Frontend/RestAPI. Unfortunately, I still get "401 Unauthorized" after Keyclock redirects back to the application after authentication.
The testing flow:
I open the Workbench webpage and click on the Login button. I also see the "Register" button.
It redirects to the Keycloak login page. I enter valid credentials.
It redirects back to the workbench webpage with 401 Unauthorized.
[root@vps15 attack-workbench-frontend-2.1.0]# docker compose up
....
attack-workbench-rest-api | 2024-08-14T10:05:15.447Z [INFO] ATT&CK Workbench REST API app starting
attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Configuring the app
attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Starting express
attack-workbench-rest-api | 2024-08-14T10:05:15.872Z [INFO] CORS is not enabled
attack-workbench-rest-api | 2024-08-14T10:05:15.907Z [INFO] Enabling HTTP request logging
attack-workbench-rest-api | 2024-08-14T10:05:15.913Z [INFO] Enabling Swagger UI
attack-workbench-rest-api | 2024-08-14T10:05:16.638Z [INFO] Configuring static routes
attack-workbench-rest-api | 2024-08-14T10:05:17.683Z [INFO] Configured authentication mechanism: oidc
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configured authentication mechanism: bearer
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: client credentials
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: challenge apikey
attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configuring REST API routes
attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the scheduler
attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the HTTP server...
attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] Listening at http://:::3000
attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] ATT&CK Workbench REST API start up complete
Keycloak realm has been created with support for OpenID. The Client has been created with Standard Authentication flow. Client authentication is on. Some users like admin@test.com have been added to the Keycloak.
I even modified the scripts/configureKeycloak.js for adding local users to the workbench database => I thought it would lead me to some clue => no luck.
What am I missing? Do you have any idea? Any little hint will be appreciated.
Thanks!
Hi Team, I am working on the Keycloak OIDC Integration + ATT&CK Workbench Frontend/RestAPI. Unfortunately, I still get "401 Unauthorized" after Keyclock redirects back to the application after authentication. The testing flow:
Here is my setup / some listings attached:
[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose.yml version: "3.9" services: frontend: container_name: attack-workbench-frontend image: front-xxx build: . depends_on:
./docker-compose-resources/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
rest-api: container_name: attack-workbench-rest-api build: ../attack-workbench-rest-api image: rest-xxx depends_on:
WB_REST_SERVICE_ACCOUNT_CHALLENGE_APIKEY_ENABLE=true
mongodb: container_name: attack-workbench-database image: mongo volumes:
volumes: db-data:
[root@vps15 attack-workbench-frontend-2.1.0]# cat docker-compose-resources/rest-api/rest-api-service-config.json { "serviceAuthn": { "oidcClientCredentials": { "enable": true, "clients": [ { "clientId": "workbench", "serviceRole": "collection-manager" } ] } } }
[root@vps15 attack-workbench-frontend-2.1.0]# docker compose up .... attack-workbench-rest-api | 2024-08-14T10:05:15.447Z [INFO] ATT&CK Workbench REST API app starting attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Configuring the app attack-workbench-rest-api | 2024-08-14T10:05:15.448Z [INFO] Starting express attack-workbench-rest-api | 2024-08-14T10:05:15.872Z [INFO] CORS is not enabled attack-workbench-rest-api | 2024-08-14T10:05:15.907Z [INFO] Enabling HTTP request logging attack-workbench-rest-api | 2024-08-14T10:05:15.913Z [INFO] Enabling Swagger UI attack-workbench-rest-api | 2024-08-14T10:05:16.638Z [INFO] Configuring static routes attack-workbench-rest-api | 2024-08-14T10:05:17.683Z [INFO] Configured authentication mechanism: oidc attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configured authentication mechanism: bearer attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: client credentials attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Enabled service authentication: challenge apikey attack-workbench-rest-api | 2024-08-14T10:05:17.685Z [INFO] Configuring REST API routes attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the scheduler attack-workbench-rest-api | 2024-08-14T10:05:18.071Z [INFO] Starting the HTTP server... attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] Listening at http://:::3000 attack-workbench-rest-api | 2024-08-14T10:05:18.079Z [INFO] ATT&CK Workbench REST API start up complete
Keycloak realm has been created with support for OpenID. The Client has been created with Standard Authentication flow. Client authentication is on. Some users like admin@test.com have been added to the Keycloak.
I even modified the scripts/configureKeycloak.js for adding local users to the workbench database => I thought it would lead me to some clue => no luck.
What am I missing? Do you have any idea? Any little hint will be appreciated. Thanks!