search

cirrusidentity / simplesamlphp-module-authoauth2

OAuth2/OIDC Authentication module for SimpleSAMLphp
GNU Lesser General Public License v2.1
31 stars 27 forks source link

Pass SSP proxy-settings to Guzzle #93

Open tvdijen opened 2 months ago

tvdijen commented 2 months ago

I have to use the company proxy to connect outside our network, but this module currently doesn't pass SSP's proxy-settings to the HTTP-client.

Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] SimpleSAML\Error\AuthSource: Error with authentication source 'microsoft': Error on oauth2 linkback endpoint. Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] Backtrace: Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 4 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/OAuth2ResponseHandler.php:106 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponseFromRequest) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 3 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/OAuth2ResponseHandler.php:59 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponse) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 2 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/public/linkback.php:4 (require) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 1 /var/opt/simplesamlphp/simplesamlphp-2.2.1/src/SimpleSAML/Module.php:302 (SimpleSAML\Module::process) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 0 /var/opt/simplesamlphp/simplesamlphp-2.2.1/public/module.php:17 (N/A) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] Caused by: GuzzleHttp\Exception\ConnectException: cURL error 7: Failed to connect to login.microsoftonline.com port 443: Connection timed out (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://login.microsoftonline.com/myTenant.onmicrosoft.com/oauth2/v2.0/token Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] Backtrace: Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 23 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:210 (GuzzleHttp\Handler\CurlFactory::createRejection) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 22 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:158 (GuzzleHttp\Handler\CurlFactory::finishError) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 21 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:110 (GuzzleHttp\Handler\CurlFactory::finish) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 20 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php:47 (GuzzleHttp\Handler\CurlHandler::invoke) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 19 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php:64 (GuzzleHttp\PrepareBodyMiddleware::invoke) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 18 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Middleware.php:31 (GuzzleHttp\Middleware::GuzzleHttp{closure}) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 17 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php:71 (GuzzleHttp\RedirectMiddleware::invoke) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 16 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Middleware.php:66 (GuzzleHttp\Middleware::GuzzleHttp{closure}) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 15 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/HandlerStack.php:75 (GuzzleHttp\HandlerStack::invoke) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 14 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Client.php:333 (GuzzleHttp\Client::transfer) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 13 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Client.php:106 (GuzzleHttp\Client::sendAsync) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 12 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/guzzlehttp/guzzle/src/Client.php:124 (GuzzleHttp\Client::send) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 11 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:706 (League\OAuth2\Client\Provider\AbstractProvider::getResponse) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 10 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:719 (League\OAuth2\Client\Provider\AbstractProvider::getParsedResponse) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 9 /var/opt/simplesamlphp/simplesamlphp-2.2.1/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:635 (League\OAuth2\Client\Provider\AbstractProvider::getAccessToken) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 8 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/Auth/Source/OAuth2.php:214 (SimpleSAML\Module\authoauth2\Auth\Source\OAuth2::SimpleSAML\Module\authoauth2\Auth\Source{closure}) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 7 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/Auth/Source/OAuth2.php:310 (SimpleSAML\Module\authoauth2\Auth\Source\OAuth2::retry) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 6 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/Auth/Source/OAuth2.php:317 (SimpleSAML\Module\authoauth2\Auth\Source\OAuth2::retry) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 5 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/Auth/Source/OAuth2.php:212 (SimpleSAML\Module\authoauth2\Auth\Source\OAuth2::finalStep) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 4 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/OAuth2ResponseHandler.php:94 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponseFromRequest) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 3 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/src/OAuth2ResponseHandler.php:59 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponse) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 2 /var/opt/simplesamlphp/simplesamlphp-2.2.1/modules/authoauth2/public/linkback.php:4 (require) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 1 /var/opt/simplesamlphp/simplesamlphp-2.2.1/src/SimpleSAML/Module.php:302 (SimpleSAML\Module::process) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] 0 /var/opt/simplesamlphp/simplesamlphp-2.2.1/public/module.php:17 (N/A) Apr 24 11:25:43 sv2210942 IDP-BZK[4013329]: 3 [5fd8bc029e] Error report with id df04cf97 generated.

pradtke commented 2 months ago

Adding the workaround @tvdijen shared with me

      'authName' => array(
              'authoauth2:OAuth2',
              // *** Required for all integrations ***
              'urlAuthorize' => 'https://www.example.com/oauth2/authorize',
              'urlAccessToken' => 'https://www.example.com/oauth2/token',
              'urlResourceOwnerDetails' => 'https://api.example.com/userinfo',
              // other settings
              'proxy' => [
                  'http' => 'http://myproxy:8080/',
                  'https' => 'http://myproxy:8080/',
              ],
      )

and the preferred solution would be, if the proxy setting is not defined in authsource, use the settings from config.php. Those settings may differ from the way Guzzle expects them. e.g. in config.php the proxy setting may equal 'tcp://proxy.example.com:5100' , while Guzzle wants the scheme to be http. proxy authentication is handled by guzzle as part of the url, while in config.php it is a separate setting.