Unable to configure plugin against Oracle IDCS

[dralquinta]

Hi folks,

I'm trying to configure the plugin by using WP 5.8 and Oracle IDCS.

For all purposes, the configuration looks ok. From IDCS Perspective, I'm generating the Client Secret and Client ID, which later on I'm pushing to plugin config.

My issue comes with the redirect URL. I've tried to use cases and all of them fail miserably:

1. Using a Redirect URL to a specific URI that I want to protect:

I'll get the following error:

{"error":"invalid_redirect_uri","error_description":"Client 59f1b28ec5cd46798413354e402b01c1 requested an invalid redirect URL: https://nginxsvc/wp-admin/admin-ajax.php\?action=openid-connect-authorize. ECID: P4VVn1g7U00000000"}

That's expected however, as the plugin explicitly says that I should use that as the redirect URL.

2. If I provide this as redirect URL on IDCS: a) I'll get prompted for my username and password on IDCS Logging screen b) Once authenticated, the authorization will fail with the typical wordpress error saying:

ERROR (invalid_request): The request contains invalid parameters or values.

And plugin log will show

string(304) "https://idcs-dd101bb2fd6b4bc2afc1d07fe9941121.identity.oraclecloud.com/oauth2/v1/authorize?response_type=code&scope=openid&client_id=59f1b28ec5cd46798413354e402b01c1&state=90a16526b8c8ccc619f1408d15b5e37f&redirect_uri=https%3A%2F%2Fnginxsvc%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize"

Which later shows this:

object(WP_Error)#980 (3) {
["errors"]=>
array(1) {
["invalid_request"]=>
array(1) {
[0]=>
string(50) "The request contains invalid parameters or values."
}
}
["error_data"]=>
array(1) {
["invalid_request"]=>
array(6) {
["headers"]=>
object(Requests_Utility_CaseInsensitiveDictionary)#981 (1) {
["data":protected]=>
array(14) {
["cache-control"]=>
string(35) "no-cache, no-store, must-revalidate"
["content-length"]=>
string(3) "100"
["content-type"]=>
string(30) "application/json;charset=UTF-8"
["date"]=>
string(29) "Wed, 04 Aug 2021 20:35:22 GMT"
["expires"]=>
string(29) "Sat, 01 Jan 2000 00:00:00 GMT"
["pragma"]=>
string(8) "no-cache"
["server"]=>
string(29) "Oracle Identity Cloud Service"
["strict-transport-security"]=>
string(36) "max-age=315360000; includeSubDomains"
["via"]=>
string(19) "1.1 net-idcs-config"
["x-content-type-options"]=>
string(7) "nosniff"
["x-frame-options"]=>
string(4) "deny"
["x-oracle-dms-ecid"]=>
string(17) "bnuQd1nG110000000"
["x-oracle-dms-rid"]=>
string(3) "0:1"
["x-xss-protection"]=>
string(13) "1; mode=block"
}
}
["body"]=>
string(100) "{"error":"invalid_request","error_description":"The request contains invalid parameters or values."}"
["response"]=>
array(2) {
["code"]=>
int(400)
["message"]=>
string(11) "Bad Request"
}
["cookies"]=>
array(0) {
}
["filename"]=>
NULL
["http_response"]=>
object(WP_HTTP_Requests_Response)#982 (5) {
["response":protected]=>
object(Requests_Response)#983 (10) {
["body"]=>
string(100) "{"error":"invalid_request","error_description":"The request contains invalid parameters or values."}"
["raw"]=>
string(641) "HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 100
Content-Type: application/json;charset=UTF-8
Date: Wed, 04 Aug 2021 20:35:22 GMT
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Server: Oracle Identity Cloud Service
Strict-Transport-Security: max-age=315360000; includeSubDomains
Via: 1.1 net-idcs-config
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Oracle-Dms-Ecid: bnuQd1nG110000000
X-Oracle-Dms-Rid: 0:1
X-Xss-Protection: 1; mode=block
Connection: close

{"error":"invalid_request","error_description":"The request contains invalid parameters or values."}"
["headers"]=>
object(Requests_Response_Headers)#984 (1) {
["data":protected]=>
array(14) {
["cache-control"]=>
array(1) {
[0]=>
string(35) "no-cache, no-store, must-revalidate"
}
["content-length"]=>
array(1) {
[0]=>
string(3) "100"
}
["content-type"]=>
array(1) {
[0]=>
string(30) "application/json;charset=UTF-8"
}
["date"]=>
array(1) {
[0]=>
string(29) "Wed, 04 Aug 2021 20:35:22 GMT"
}
["expires"]=>
array(1) {
[0]=>
string(29) "Sat, 01 Jan 2000 00:00:00 GMT"
}
["pragma"]=>
array(1) {
[0]=>
string(8) "no-cache"
}
["server"]=>
array(1) {
[0]=>
string(29) "Oracle Identity Cloud Service"
}
["strict-transport-security"]=>
array(1) {
[0]=>
string(36) "max-age=315360000; includeSubDomains"
}
["via"]=>
array(1) {
[0]=>
string(19) "1.1 net-idcs-config"
}
["x-content-type-options"]=>
array(1) {
[0]=>
string(7) "nosniff"
}
["x-frame-options"]=>
array(1) {
[0]=>
string(4) "deny"
}
["x-oracle-dms-ecid"]=>
array(1) {
[0]=>
string(17) "bnuQd1nG110000000"
}
["x-oracle-dms-rid"]=>
array(1) {
[0]=>
string(3) "0:1"
}
["x-xss-protection"]=>
array(1) {
[0]=>
string(13) "1; mode=block"
}
}
}
["status_code"]=>
int(400)
["protocol_version"]=>
float(1.1)
["success"]=>
bool(false)
["redirects"]=>
int(0)
["url"]=>
string(86) "https://idcs-dd101bb2fd6b4bc2afc1d07fe9941121.identity.oraclecloud.com/oauth2/v1/token"
["history"]=>
array(0) {
}
["cookies"]=>
object(Requests_Cookie_Jar)#985 (1) {
["cookies":protected]=>
array(0) {
}
}
}
["filename":protected]=>
NULL
["data"]=>
NULL
["headers"]=>
NULL
["status"]=>
NULL
}
}
}
["additional_data":protected]=>
array(0) {
}
}

At this point I'm not entirely sure how to proceed, as I'm sure this is something really dumb, but I'm unable to see it.

Other plugins (payed of course) are working fine, however I can't make this one work properly. I can reproduce this at while in less than 5 minutes from a built-from-scratch environment.

Can you guys give me any hints in what I'm doing wrong? The most I've been able to get is the wiki recommendation that says the URL https://nginxsvc/wp-admin/admin-ajax.php?action=openid-connect-authorize (in my case), should be whitelisted, but I have no real place to do that in the first place, so I'm trapped in a dead end.

Any pointers are appreciated.

DA.

[timnolte]

@dralquinta so the redirect URI using 'https://nginxsvc/' seems wrong as it should be the domain name of your site and where the IDP would be redirecting back to. How is the Oracle IDP even getting you back to your site, or even allowing you to login given that redirect URI. I'm not really familiar with the Oracle service and what it is expecting for setup. I'm assuming you have all of the relevant plugin information populated from the .well-known OpenID Connect configuration endpoint. Can you provide the endpoint URL that contains all of the OpenID Connect configuration information?

[timnolte]

@dralquinta does this article match the sort of initial setup that you did? One note is that I would recommend also enabling the Refresh Token feature as well as the Authorization Code feature. https://www.ateam-oracle.com/using-openid-connect-to-delegate-authentication-to-oracle-identity-cloud-service

[dralquinta]

Hi @timnolte

Thanks for getting back to me. The configuration done from IDCS Side, is closer to what's explained in this link: https://blogs.oracle.com/developers/authenticating-users-with-oracle-idcs-via-openid-connect-and-micronaut

Dropping the micronaut part (and replacing that for Wordpress), the general steps are the same:

• Create a testing user inside a group in IDCS
• Configuring a Confidential application
• Inside the settings of Register Client this is being provided (redacted because of privacy)
  • Redirect URL: https://nginxsvc/wp-admin/admin-ajax.php?action=openid-connect-authorize (If here I put the actual redirection URL that I want, I'll get the error I'm posting in my first entry)
  • Logout URL: https://nginxsvc/wp-login.php?action=logout&_wpnonce=941818d4be
  • Post Logout URL: https://nginxsvc/wp-login.php?loggedout=true&wp_lang=en_US
  • As for checkboxes, I'm going with:
    • Client Credentials: Checked
    • Refresh Token: Checked
    • Authorization Code: Checked

With this, it'll give me a client id and a client secret that I later configure in the wordpress plugin.

The relevant values put there are:

Login Type: OpenID Connect button on login form Client ID: The ID Given by IDCS Client Secret Key: The Secret Given by IDCS OpenID Scope: openid Login Endpoint URL: https://idcs-dd1........121.identity.oraclecloud.com/oauth2/v1/authorize Userinfo Endpoint URL: https://idcs-dd1..........121.identity.oraclecloud.com/oauth2/v1/userinfo Token Validation Endpoint URL: https://idcs-dd1............121.identity.oraclecloud.com/oauth2/v1/token End Session Endpoint URL: https://idcs-dd10........1121.identity.oraclecloud.com/oauth2/v1/userlogout

To be totally honest at this point, I'm not really sure what I'm doing wrong. The only thing that draws my attention is the redirect URL which certainly has a part on the 3-legged auth process, however the two options I've configured (the logical one and the crazy one), none seems to work.

Just to clarify, the name nginxsvc is a local alias of my /etc/hosts (to do a mock of a DNS name) and the IP address is a public LBaaS Service inside OCI, that later on will balance to the pods (deployed on K8) that holster Wordpress Implementation. For practical purposes, consider it as a FQDN fully enabled with SSL, so we should be good with that (unless there are specific requirements with the name that I should follow)

Does that clarifies a bit better the config? Please let me know. I really want to use the plugin, but I'm trapped in the middle now :(

DA.

[timnolte]

@dralquinta to clarify that Micronaut setup is wrong for this plugin. It uses Authorization Code flow. Which the article I provided aligns with how the application should be configured for this plugin.

[dralquinta]

I've done an update on the config.

So If you see, now only Refresh Token and Authorization Code are marked.

Do you see something that calls your attention??

And so, just to clarify. Both links (the one I follow and the one from A-Team) are using Authorization Option as true. So does that mean that I should be using another option? if so, any ideas which one?

[dralquinta]

Forgot to mention. This is what it happens when I do the login flow:

• Hit https://nginxsvc/wp-admin/ to attempt to log in

• The following appears:

• Hit on "Login with OpenID Connect"

• Get redirected to credential form. Enter credentials and then hit Sign In

• I Get redirected then to main login page with the following error:

Now, If I replace the redirect URL in IDCS and instead of https://nginxsvc/wp-admin/admin-ajax.php?action=openid-connect-authorize i use: https://nginxsvc/wp-admin/ or anything different from what the Redirect URL that the plugin says is, I get this. (I've tried both https://nginxsvc/wp-admin and https://nginxsvc/ with same results)

I really hope that sheds some light in what I'm seeing

[timnolte]

@dralquinta a couple of things. I would never share your client ID and secret in public like you did. You are going to want to regenerate these and now use the ones you included in the screenshots. The other thing I see if that it is probably the case that the Oracle IDP doesn't support parameters in the redirect URI. You will 2ant to use the alternate redirect URI option of the plugin.

[dralquinta]

No worries. It's all disposable and at this point not even alive anymore :)

Using the alternate url produces the same results so I'm positive to say that something else is going on.

If you have any ideas please let me know.

[timnolte]

@dralquinta so, I was able to signup for a friend Oracle Cloud Service account and setup Oracle IDCS to use along with my testing site. I'm hitting the same issue as you are, and from what I can tell the Oracle IDCS IDP doesn't like the URL it is getting from the plugin when requesting a token. So the authentication is taking place but then when the plugin makes the request for the token it is failing.

[dralquinta]

Interesting.

I've tried another plugin where the redirect url is different (simple url with no context) and indeed it goes fine after doing the authentication, however this plugin is very limited in functionality on its freeware version as it only works as a PoC.

Besides the one the plugin already implements is there any way to overload that? I've not checked the code implementation but as a wild guess I believe the url (even the pretty one) are pivotal for the plugin success. (If I'm wrong please let me know).

I'm wondering what's the best way to tackle this down. I can definitely go back with a Oracle and fire up a bug against IDCS if I have sufficient evidence to support the report however I'm wondering if there is something I can do to help in maybe enhancing/fixing the plugin?

Wordpress is very popular among our customers and having integration via openID at my view is paramount, so we definitely want to have it.

What do you think ?

Thanks!

DA.

[timnolte]

@dralquinta there is no problem with the plugin redirect url. This error has nothing to do with that. I believe, after looking at this documentation(https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/openidconnectauthcode.html), that it has to do with attempting to use a Confidential Client application registration vs a Public Client application registration. This WordPress plugin specifically implements the Public Client form of requesting the Authorization Code and Token. I haven't found a way to change the application client configuration to Public as I see it's always disabled, only Trusted or Confidential are available.

Again, to be clear on what is happening is that WordPress/the plugin is properly sending users to the Oracle IDCS IDP, authentication is successful there, and the plugin is being called upon return to WordPress. At that point the flow is for the plugin to request the Token and that is what is being rejected with the error by Oracle IDCS. Oracle IDCS won't accept the Public Client form of the token request when the registered application is setup as a Confidential Client.