search

ironmansoftware / universal-automation

Universal Automation is the PowerShell-first automation platform.
https://ironmansoftware.com/universal-automation/
MIT License
24 stars 4 forks source link

Cannot login with OIDC and Okta - button doesn't do anything #170

Closed realslacker closed 4 years ago

realslacker commented 4 years ago

Describe the Issue

Configured OpenID-Connect for Okta, however the "Sign-In with OpenID Connect" button doesn't appear to do anything. Nothing appears in the log regarding login at all.

To Reproduce

Steps to reproduce the behavior: (Example)

  1. Install Universal Automation from MSI
  2. Configure licensing
  3. Create an OIDC application on Okta
  4. Configure UA for OIDC
  5. "Sign-In with OpenID Connect" button flashes but doesn't do anything when clicked - no logging no HTTP traffic

Expected behavior

Login with Okta is initiated.

Screenshots

Okta App Config

Script Sample

universalautomation.ps1

Import-Module "$Env:UAPATH\UniversalAutomation\UniversalAutomation.psd1"
Start-UAServer -Port 10000 -InProcess -RepositoryPath C:\ProgramData\UniversalAutomation\Repository -ConnectionString C:\ProgramData\UniversalAutomation\database.db

universalautomation.dashboard.ps1

Import-Module "$Env:UAPATH\UniversalAutomation\UniversalAutomation.psd1"
Import-Module "$Env:UAPATH\UniversalAutomation.Dashboard\UniversalAutomation.Dashboard.psd1"

$ComputerName = "http://localhost:10000"

$OpenIDConnect = New-UDAuthenticationMethod -ResponseType 'id_token token' -ClientSecret 'secret-redacted' -ClientId 'id-redacted' -Authority 'https://tenant.okta.com/oauth2/v1/authorize' -Resource 'https://dashboard.domain.com' -PassThru

$LoginPage = New-UDLoginPage -AuthenticationMethod $OpenIDConnect

Enable-UDLogging -Level Debug -FilePath "$env:ProgramData\UniversalAutomation\logs\debug.log"

Start-UADashboard `
    -ComputerName $ComputerName `
    -Port 443 `
    -CertificateFile "$env:ProgramData\UniversalAutomation\certifcate.pfx" `
    -CertificateFilePassword ('password' | ConvertTo-SecureString -AsPlainText -Force) `
    -LoginPage $LoginPage `
    -Wait

Okta Tenant OIDC Config

{
  "issuer": "https://tenant.okta.com",
  "authorization_endpoint": "https://tenant.okta.com/oauth2/v1/authorize",
  "token_endpoint": "https://tenant.okta.com/oauth2/v1/token",
  "userinfo_endpoint": "https://tenant.okta.com/oauth2/v1/userinfo",
  "registration_endpoint": "https://tenant.okta.com/oauth2/v1/clients",
  "jwks_uri": "https://tenant.okta.com/oauth2/v1/keys",
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "code token",
    "id_token token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "okta_post_message"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile",
    "address",
    "phone",
    "offline_access",
    "groups"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "claims_supported": [
    "iss",
    "ver",
    "sub",
    "aud",
    "iat",
    "exp",
    "jti",
    "auth_time",
    "amr",
    "idp",
    "nonce",
    "name",
    "nickname",
    "preferred_username",
    "given_name",
    "middle_name",
    "family_name",
    "email",
    "email_verified",
    "profile",
    "zoneinfo",
    "locale",
    "address",
    "phone_number",
    "picture",
    "website",
    "gender",
    "birthdate",
    "updated_at",
    "at_hash",
    "c_hash"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "introspection_endpoint": "https://tenant.okta.com/oauth2/v1/introspect",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "revocation_endpoint": "https://tenant.okta.com/oauth2/v1/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],
  "end_session_endpoint": "https://tenant.okta.com/oauth2/v1/logout",
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ]
}

Version Information

Additional context

It would be really nice if Okta was one of the supported Oauth2

providers since the config is pretty much the same in all of the tenants.

adamdriscoll commented 4 years ago

Hey @realslacker,

I'm wondering if you would be open to trying out our next version. We are improving the authentication and authorization experience by bringing UD into the UA management experience and unifying the platforms. It'll be a single service now with a slightly different configuration experience but all your UA scripts and schedules will remain the same.

It's still just an MSI install and I can provide some documentation on how to configure OIDC. I'm not specifically using Okta at the moment but I'll work on getting a test environment up and running to help troubleshoot what's going on here.

realslacker commented 4 years ago

Sure, I would be happy to play around with it

adamdriscoll commented 4 years ago

Great. I will get a kit together and should have something for you to play with tomorrow.

adamdriscoll commented 4 years ago

We ran into an issue in QA that prevented a solid release from going out today. I'll keep you posted.

adamdriscoll commented 4 years ago

You can download the latest version of our MSI here: https://universalautomation.blob.core.windows.net/universal/PowerShellUniversal.1.0.0.msi

Please uninstall the current UA instance that you have running using the MSI installer. Then install using this MSI. You will have only one service (PowerShell Universal).

To configure OIDC, you will need to create an appsettings.json file in C:\ProgramData\Universal.

Include the following information: 

{
    "Authentication" : {
    "OIDC": {
      "Enabled": "true",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "<clientID>",
      "ClientSecret": "<clientSecret>",
      "Resource": "", 
      "Authority": "<authority>",
      "ResponseType": "id_token token", 
      "SaveTokens": "true" 
    }
}
}

After changing these settings, you'll need to restart the service.

From there, you should be able to login to localhost:5000 and it should automatically redirect to your Okta login page. After logging in, you should be redirected back to localhost:5000. If you click the Settings\Identites tab, you'll be able to see the Identity that you logged in as.

realslacker commented 4 years ago

I need to run this over HTTPS for Okta to work correctly, how do I specify the certificate in the appsettings.json?

adamdriscoll commented 4 years ago

To configure HTTPS, in the appsettings.json, you can do something like this: 

{
  "Kestrel": {
    "Endpoints": {
       "HTTP": { "Url": "http://*:5000" },
           "HTTPS": {
              "Url": "https://*:5463",
              "Certificate": {
                  "Path": "testCert.pfx",
                  "Password": "testPassword"
              }
          }
    }
}

For a full list of examples, see here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#listenoptionsusehttps

It should go in the appsettings.json file in the program data folder

realslacker commented 4 years ago

This is really frustrating. I've configured my certificate as follows:

{
    "Kestrel": {
        "Endpoints": {
            "HTTP": { "Url": "http://*:80" },
            "HTTPS": {
                "Url": "https://*:443",
                "Certificate": {
                    "Subject": "redacted",
                    "Store": "My",
                    "Location": "LocalMachine"
                }
            }
        }
    }
}

After which I get an SSL error "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY".

Also, in all of these upgrades and downgrades it seems Universal is no longer recognizing my UA license, my key is not showing on my account, and when I try to use the key in my email it says "Failed to add license."

I only have one job on here right now since I have to keep rebuilding this installation. It almost doesn't seem worth the effort.

adamdriscoll commented 4 years ago

We've added documentation for OpenID Connect: https://docs.ironmansoftware.com/config/security/openid-connect

And web server configuration: https://docs.ironmansoftware.com/config/hosting#web-server-configuration

I know you've stopped using UA but wanted to close this issue with our resolutions.