search

rockcarver / frodo-lib

A library to manage ForgeRock Identity Cloud tenants, ForgeOps deployments, and classic deployments.
MIT License
9 stars 18 forks source link

Frodo unable to connect to improperly configured platform deployment #94

Closed vscheuber closed 1 year ago

vscheuber commented 1 year ago

Frodo Library version

Provide output of getVersion or us the CLI to get the version frodo -v

cli: v0.12.2
lib: v0.12.1
node: v18.1.0

Describe the issue

Reported by Stephen Payne on August 28:

Frodo is unable to connect to a platform instance, which is improperly configured.

% frodo journey import -k https://platform.example.com:9443/am -i RegisterIddataweb -f RegisterIdDataWeb.journey.json https://platform.example.com:9443/am amAdmin Passw0rd
Error getting cookie name: Error: Request failed with status code 400
error authenticating - Request failed with status code 400
vscheuber commented 1 year ago

At first this looked like a total mystery to me. The UI was able to login just fine but frodo was throwing a fit. Turns out that all my Postman API calls failed, too, which made it even more suspicious.

It appears that the either AM or the reverse proxy fronting AM is misconfigured and all API calls fail unless they:

For some reason, the UI is omitting the host header altogether and thus was lucky to just work. But I am pretty sure the env is heavily impaired as most API requests do include the host header by default (set automatically to the host name). In this case the AM server is configured with a different host name (am.example.com:8081) than the reverse proxy (platform.example.com:9443), causing AM to report with the following error to every authentication request:

{
    "code": 400,
    "reason": "Bad Request",
    "message": "Realm not found"
}

Another issue is that the instance is using a default authentication journey in the root realm that is Frodo-incompatible (the journey has social login enabled, which frodo does not support). Frodo currently supports only simple authentication journeys using username/password and frodo supports the ID Cloud tenant admin login journey for admins with MFA disabled.

vscheuber commented 1 year ago

The latest version (cli: v0.13.0, lib: v0.12.4) of frodo now allows two new parameters when adding a connection profile:

--authentication-service [service] Name of the authentication service/tree to use. --authentication-header-overrides [headers] Map of headers: {"host":"am.example.com:8081"}.

These parameters are currently only supported in the frodo conn add command and the configuration elements will be automatically applied to commands issued using that connection profile.

% frodo conn add https://platform.example.com:9443/am username password --authentication-service ldapService --authentication-header-overrides '{"host":"am.example.com:8081"}' -k
ForgeOps deployment detected.
Connected to ForgeRock Access Management 7.2.0 Build 64ef7ebc01ed3df1a1264d7b0400351bc101361f (2022-June-27 08:15)
Saving creds in /Users/vscheuber/.frodo/.frodorc...
Updating connection profile https://platform.example.com:9443/am
Advanced setting: Authentication Service: ldapService
Advanced setting: Authentication Header Overrides: 
{ host: 'am.example.com:8081' }
%

After the connection profile is created with the additional parameters, the environment can be accessed as usual. In this case it requires the -k parameter for every command, as the environment uses a self-signed certificate.

% frodo journey list platform alpha -k 
ForgeOps deployment detected.
Connected to ForgeRock Access Management 7.2.0 Build 64ef7ebc01ed3df1a1264d7b0400351bc101361f (2022-June-27 08:15)
Listing journeys in realm "alpha"...
Agent
Example
Facebook-ProvisionIDMAccount
Google-AnonymousUser
Google-DynamicAccountCreation
HmacOneTimePassword
PersistentCookie
PlatformForgottenUsername
PlatformLogin
PlatformProgressiveProfile
PlatformRegistration
PlatformResetPassword
PlatformUpdatePassword
RetryLimit
%