search

davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
140 stars 84 forks source link

OAuth authentication does not work for CAS 5.1.5 #97

Open a760109 opened 6 years ago

a760109 commented 6 years ago

I'm using

Gerrit 2.14.5.1 gerrit-oauth-provider 2.14.3 CAS 5.1.5

CA Login view

Here is my gerrit config for oauth

[plugin "gerrit-oauth-provider-cas-oauth"]
    root-url = http://10.110.219.37/CAS
    client-id = clientid
    client-secret = clientSecret
    fix-legacy-user-id = false

Here is my CAS oauth service definition

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "clientid",
  "clientSecret": "clientSecret",
  "bypassApprovalPrompt": false,
  "generateRefreshToken": false,
  "serviceId" : "^(https|imaps|http)://.*",
  "name" : "My OAuth service",
  "id" : 100,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

Here is the relevant log snippet from the cas.log

[13:30:57][INFO ][org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager][default task-68] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Tue Nov 28 13:30:57 CST 2017,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Nov 28 13:30:57 CST 2017
CLIENT IP ADDRESS: 10.110.214.57
SERVER IP ADDRESS: 172.17.0.4
=============================================================

[13:31:03][INFO ][org.apereo.cas.authentication.AbstractAuthenticationManager][default task-69] - Authenticated principal [kent_lu] with attributes [{}] via credentials [[kent_lu]].
[13:31:03][INFO ][org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager][default task-69] - Audit trail record BEGIN
=============================================================
WHO: kent_lu
WHAT: Supplied credentials: [kent_lu]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Nov 28 13:31:03 CST 2017
CLIENT IP ADDRESS: 10.110.214.57
SERVER IP ADDRESS: 172.17.0.4
=============================================================

[13:31:03][INFO ][org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager][default task-69] - Audit trail record BEGIN
=============================================================
WHO: kent_lu
WHAT: TGT-1-qBZUedR3m3ZM9HcKUMiL2yKdvwrDSwxddDRlt3Boy4tVEaszpy-wildfly
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 28 13:31:03 CST 2017
CLIENT IP ADDRESS: 10.110.214.57
SERVER IP ADDRESS: 172.17.0.4
=============================================================

[13:31:03][INFO ][org.apereo.cas.DefaultCentralAuthenticationService][default task-69] - Granted ticket [ST-1-G3vKwtjFvSQFAj14Uj2D-wildfly] for service [http://10.110.219.37/CAS/oauth2.0/callbackAuthorize?client_name=CasOAuthClient&client_id=clientid&redirect_uri=http://127.0.0.1:8080/oauth] and principal [kent_lu]
[13:31:03][INFO ][org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager][default task-69] - Audit trail record BEGIN
=============================================================
WHO: kent_lu
WHAT: ST-1-G3vKwtjFvSQFAj14Uj2D-wildfly for http://10.110.219.37/CAS/oauth2.0/callbackAuthorize?client_name=CasOAuthClient&client_id=clientid&redirect_uri=http://127.0.0.1:8080/oauth
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 28 13:31:03 CST 2017
CLIENT IP ADDRESS: 10.110.214.57
SERVER IP ADDRESS: 172.17.0.4
=============================================================

[13:31:03][INFO ][org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager][default task-71] - Audit trail record BEGIN
=============================================================
WHO: kent_lu
WHAT: ST-1-G3vKwtjFvSQFAj14Uj2D-wildfly
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Nov 28 13:31:03 CST 2017
CLIENT IP ADDRESS: 10.110.15.61
SERVER IP ADDRESS: 172.17.0.4
=============================================================

[13:31:03][INFO ][org.pac4j.core.profile.ProfileHelper][default task-70] - Building user profile based on typedId: kent_lu
[13:31:05][ERROR][org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController][default task-74] - ticket cannot be null: java.lang.IllegalArgumentException: ticket cannot be null
    at org.springframework.util.Assert.notNull(Assert.java:134)
[13:31:05][ERROR][org.springframework.boot.web.support.ErrorPageFilter][default task-74] - Forwarding to error page from request [/oauth2.0/accessToken] due to exception [ticket cannot be null]: java.lang.IllegalArgumentException: ticket cannot be null
    at org.springframework.util.Assert.notNull(Assert.java:134)

Here is the relevant log snippet from the gerrit.log

[2017-11-28 05:45:02,119] [HTTP-84] WARN  org.eclipse.jetty.servlet.ServletHandler : /oauth
org.scribe.exceptions.OAuthException: Response body is incorrect. Can't extract a token from this: '.....'

[2017-11-28 05:45:02,133] [HTTP-84] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /oauth?code=OC-2-tmBrykc1ozv7twSPoOlzkLcGWXAVbgbsWIE&state=fBADx69enf96MimHZOeiGoc8y95NI_SHdiC5UMVz6As
org.scribe.exceptions.OAuthException: Response body is incorrect. Can't extract a token from this: '.......'
davido commented 6 years ago

@mwebber Any idea what could be wrong?

mwebber commented 6 years ago

Thanks for a clear report with all the relevant info provided up-front.

It is working for us (also Gerrit 2.14.5.1, gerrit-oauth-provider 2.14.3, CAS 5.1.?). There are a few differences between our configurations:

In gerrit.config, we don't have any value for gerrit-oauth-provider-cas-oauth.client-secret. Instead, that is stored in secure.config. I'd start by fixing that up.

Both my Gerrit and CAS are using https. My CAS oauth service definition is similar to yours

{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "gerrit",
  "clientSecret": "XXXXX",
  "bypassApprovalPrompt": true,
  "generateRefreshToken": false,
  "serviceId" : "https://gerrit[a-z]*.XXX.YYY.ZZZ/oauth",
  "name" : "Gerrit",
  "description" : "Gerrit",
  "id" : nnnnnnnnnn
}

Can you fix the location of the client-secret and report back?

a760109 commented 6 years ago

Hi @mwebber

Thanks you feedback, I think maybe the HTTP issue, I will try to use HTTPS protocol.. In CAS, i use HTTPS have some trouble, I will try to fix it. (Error: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden")

by the way, this is my secure.config context

[auth] registerEmailPrivateKey = 2PZO0bAN5JoefHybTay6tHJGR/Pjsz7EKGw=

Thnaks.

a760109 commented 6 years ago

Hi @mwebber

I success login by HTTP, i change the CAS ticket type from TGC to ST. In my work environment, network need use Proxy , so HTTPS have some trouble.

this is my CAS setting: cas.tgc.secure=false cas.tgc.name=ST

By the way , i login Gerrit username is "Anonymous Coward (1000001)", is't possible auto use CAS Username and Email ?

thanks so much.

kalenobr commented 6 years ago

https://drive.google.com/file/d/1tXA94ccnloMbqcdkwkpqrcXjndZWblvg/view?usp=drivesdk

a760109 commented 6 years ago

Hi

i follow the doc(https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/resources/Documentation/config.md), add name and email attributes in CAS properties, and use postman with oauth2.0 to verification, but when i login Gerrit Profile all empty..Which step is wrong?

Thanks.

CAS properties

cas.authn.ldap[0].principalAttributeList=cn:name,mail:email

CAS log

[16:10:19][INFO ][org.apereo.cas.authentication.AbstractAuthenticationManager][default task-504] - Authenticated principal [kent_lu] with attributes [{email=Kent_Lu@***, name=Lu. Kent (TPE)}] via credentials [[kent_lu]].

Postman

https://goo.gl/UEjbrY

kalenobr commented 6 years ago

**_

:smile:_ **