search

finalist / liferay-oidc-plugin

Plugin for Liferay, enabling OpenID Connect authentication
Apache License 2.0
21 stars 31 forks source link

Issue with Azure AD #15

Closed ryanbenedetti closed 6 years ago

ryanbenedetti commented 6 years ago

Thanks for making this plug-in, Finalist team!

We are getting user info back from our AzureAD tenant, but this error is stopping us right now: "Unexpected: OpenID Connect UserInfo does not contain email field. Cannot correlate to Liferay user."

We have set the portal-ext.properties file as follows:

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=https://login.microsoftonline.com/{{Our tenant ID here}}}/oauth2/token
openidconnect.authorization-location=https://login.microsoftonline.com/{{Our tenant ID here}}}/oauth2/authorize
openidconnect.profile-uri=https://login.microsoftonline.com/{{Our tenant ID here}}}/openid/userinfo
openidconnect.issuer=https://sts.windows.net/{{Our tenant ID here}}}/
openidconnect.client-id={{Our client ID here}}}
openidconnect.secret={{Our secret key here}}}
openidconnect.scope=openid profile email

Is there some setting we're missing that could be causing this error? We did notice this in ProviderFactory.java: openidconnect.provider

Will setting the value of the provider as follows "openidconnect.provider=AzureAD" help? Or is there another property we need to set that's not included in your README file? Any guidance you can give would be greatly appreciated. Again, thanks for making this!

gvanderploeg commented 6 years ago

Hi,

Thanks for trying out this plugin. Azure AD should work, support for it was added recently. And you are right in finding the property openidconnect.provider, however the value should not be AzureAD but simply azure. I will update the documentation with this, we failed to do this immediately. Please confirm that this works for you, that will probably also help others.

Hope this helps.

Geert

ryanbenedetti commented 6 years ago

Thanks, Geert! We tested that setting and still get the error. Here's more info. on the error:

18:16:19,153 ERROR [http-nio-8443-exec-3][Liferay70Adapter:70] Unexpected: OpenID Connect UserInfo does not contain email field. Cannot correlate to Liferay user. UserInfo: {sub={{REDACTED}}, ver=1.0, aio={{REDACTED}}=, amr={{REDACTED}}, onprem_sid={{OBFUSCATED}}, oid={{REDACTED}}, uti={{REDACTED}}, given_name=Ryan, tid={{REDACTED}}, unique_name=benedett@up.edu, upn=benedett@up.edu, name=Benedetti, Ryan, ipaddr={{REDACTED}}, family_name=Benedetti} So ... we are getting info. back from Azure AD but the email field is missing. I thought it might be the scope but the config from our tenant (https://login.microsoftonline.com/{REDACTED}/v2.0/.well-known/openid-configuration) shows that the openid, profile, and email scopes are enabled on Azure AD: 2017-12-06_1025

gvanderploeg commented 6 years ago

Have you tried looking into the fields that are actually sent over the wire? This can be done by enabling debug logging for the OpenID Connect filter (category nl.finalist.liferay.oidc) in the Liferay control panel (Server administration -> log levels)

gvanderploeg commented 6 years ago

Now that I look again at your error message, I'm not sure whether the openidconnect.provider setting is actually working for you. But enabling debug logging (like I proposed in my previous comment) might shed a light on this as well, as instantiation of the provider class will output a message on debug level.

ryanbenedetti commented 6 years ago

Geert,

Re: "Have you tried looking into the fields that are actually sent over the wire?" We turned on debugging as you suggested and the following fields are sent back (with my REDACTS added to protect sensitive data):

17:25:41,155 DEBUG [http-nio-8443-exec-2][Liferay70Adapter:60] Setting OpenIDUserInfo object in session: {sub=[REDACTED], ver=1.0, aio=[REDACTED], amr=[REDACTED], onprem_sid=[REDACTED], oid=[REDACTED], uti=[REDACTED] given_name=Adam, tid=[REDACTED], unique_name=murakami@up.edu, upn=murakami@up.edu, name=Murakami, Adam, ipaddr=[REDACTED], family_name=Murakami}

So we are indeed getting data back, just no email.

ryanbenedetti commented 6 years ago

We noted that the version built on the Marketplace is listed as 0.2.2, but that the current version with Azure AD additions is the 0.2.3-SNAPSHOT (with the version change being updated on Feb. 27, 2017). We've been using 0.22, but we will download/build the 0.23 version and see if we can get it working in our DEV environment. We're fairly new to OSGI, so if you have any advice on building this in Liferay Dev Studio for DXP, we would greatly appreciate it.

Thanks again for all of your expedient and expert help, Geert!

ryanbenedetti commented 6 years ago

Geert,

I'm excited to report that after some fiddling with bnd workspace and maven, we got the 0.2.3 version to build, deployed it and we get: "01:26:01,711 TRACE [http-nio-8443-exec-4][Liferay70Adapter:50] Returning credentials for userId

So we now have success with the plug-in on AzureAD!!! Thanks for all of your help with this!!!

gvanderploeg commented 6 years ago

Hi,

Great to hear that you got it working in the end. And you are right, the version on the marketplace lags behind a bit, especially the Azure AD feature. I will release a new version soon and publish it on the marketplace. Let's keep this issue open until this happens, so to reflect this state...

gvanderploeg commented 6 years ago

Submitted 0.3.0 for review in the marketplace.

gvanderploeg commented 6 years ago

0.3.0 is published on the MP a while ago, will close this now.