Liferay 7.0 No Current OpenId Connect conversation

finalist / liferay-oidc-plugin

Plugin for Liferay, enabling OpenID Connect authentication

Apache License 2.0

21 stars 31 forks source link

Liferay 7.0 No Current OpenId Connect conversation #45

Closed Maakaapeli closed 4 years ago

Maakaapeli commented 4 years ago

Hello.

I have encountered a problem and I'm not sure why this occures.

I have installed openId connect plugin and configured it for my environment. Now I'm trying to access a private site as a quest(/group/private-site) which should start autologin sequence with openId connect plugin. Now all i get is redirect to /home and Liferay server loops TRACE-message "No current OpenID Connect conversation, no autologin". It seems that this returns null every time.

Map<String, String> userInfo = (Map<String, String>) session.getAttribute( LibFilter.OPENID_CONNECT_SESSION_ATTR);

Where this attribute is set in at firstime and what could be resolve for this problem?

gvanderploeg commented 4 years ago

Hi,

Is this the only log message you see in the logs, regarding the OIDC filter? Can you share your configuration (privacy sensitive values masked/scrambled)?

Where this attribute is set in at firstime and what could be resolve for this problem?

It's set in LibFilter, in the method exchangeCodeForAccessToken(), after the UserInfo response from the Identity Provider: liferay.debug("Setting OpenIDUserInfo object in session: " + openIDUserInfo); request.getSession().setAttribute(OPENID_CONNECT_SESSION_ATTR, openIDUserInfo);

Maakaapeli commented 4 years ago

That is the only message from filter yes. Do you mean plugin-configurations or whole portal?

gvanderploeg commented 4 years ago

I indeed meant plugin configuration, not the whole portal.

If you are sure that the trace message is the only one: then it means that the filter class is not active, but only the Autologin class. I would guess that either your configuration is not OK, or that something's wrong on a deployment/OSGi-activation level... Can you try to diagnose the bundle using Gogo-shell? (lb for list bundles, diag xx with the plugin's bundle id, b xx with the plugin's bundle id)

Maakaapeli commented 4 years ago

Plugin is active from telnet. I can confirm this also when I have logged in to the portal already and then trying to access private page. I get log message "In processFilter()..."

plugin-configuration as follows (obfuscated information with *)


https://***.***.**/auth/realms/****/protocol/openid-connect/auth
location of the token service
https:/***.***.**/auth/realms/****/protocol/openid-connect/token
UserInfo endpoint
https://***.***.**/auth/realms/***/protocol/openid-connect/userinfo
Issuer:
https://*****.*****.****/auth/realms/*****
Scope(s) of the access token
openid profile email
OAuth client ID
**************
OAUTH client secret
***************************
OpenId provider type
generic
SSO Lougout endpoint
https://***************.***********.*********/auth/realms/***************/protocol/openid-connect/logout```

Maakaapeli commented 4 years ago

Found problem. We had too much hardened reverse proxy. Issuen is closed for now.