Fetching OIDC user info failed

[fxjordan]

After creating a new learning layers account, I experienced an error (500 Internal Server error) with the following response body for all API requests:

Fetching OIDC user info failed

Since I have not created new users for some time, this might be related to the migration of the OIDC identity server from learning-layers.eu to auth.las2peer.org. We had a similar problem in the Gamification Framework for the same reason.

TODO: add backend logs

[fxjordan]

las2peer service logs:

2022 Sep 24 15:36:38 INFO i5.las2peer.connectors.webConnector.util.AuthenticationManager: OIDC sub found. Authenticating...
2022 Sep 24 15:36:38 INFO i5.las2peer.connectors.webConnector.util.AuthenticationManager: attempting login with id: reqbazbot
2022 Sep 24 15:36:38 FINER i5.las2peer.p2p.PastryNodeImpl: ARTIFACT_FETCH_STARTED (2060)    <0x418909..>/reqbaz/137.226.232.38:9011 -   -   -   USER_NAME-reqbazbot 
2022 Sep 24 15:36:38 FINE i5.las2peer.persistency.SharedStorage: Starting latest version lookup for USER_NAME-reqbazbot at 1
2022 Sep 24 15:36:38 FINE i5.las2peer.persistency.helper.LatestArtifactVersionFinder: Looking for metadata envelope with identifier 'USER_NAME-reqbazbot' and version 1 at id F2E4B095B36F292D02F57187299993E98838FD22 ...
2022 Sep 24 15:36:38 FINE i5.las2peer.persistency.helper.LatestArtifactVersionFinder: Lookup got 0 past handles for identifier 'USER_NAME-reqbazbot' and version 1
2022 Sep 24 15:36:38 FINER i5.las2peer.p2p.PastryNodeImpl: ARTIFACT_FETCH_FAILED (-2065)    <0x418909..>/reqbaz/137.226.232.38:9011 -   -   -   USER_NAME-reqbazbot 
2022 Sep 24 15:36:38 INFO i5.las2peer.connectors.webConnector.util.AuthenticationManager: OIDC sub uknown. Auto-register...
2022 Sep 24 15:36:38 SEVERE i5.las2peer.connectors.webConnector.WebConnector: Internal Server Error: Fetching OIDC user info failed
javax.ws.rs.InternalServerErrorException: Fetching OIDC user info failed
    at i5.las2peer.connectors.webConnector.util.AuthenticationManager.retrieveOidcUserInfo(AuthenticationManager.java:210)
    at i5.las2peer.connectors.webConnector.util.AuthenticationManager.createNewOidcAgent(AuthenticationManager.java:270)
    at i5.las2peer.connectors.webConnector.util.AuthenticationManager.authenticateOIDC(AuthenticationManager.java:152)
    at i5.las2peer.connectors.webConnector.util.AuthenticationManager.authenticateAgent(AuthenticationManager.java:78)
    at i5.las2peer.connectors.webConnector.WebConnector.authenticateAgent(WebConnector.java:660)
    at i5.las2peer.connectors.webConnector.WebConnectorRequestHandler.authenticate(WebConnectorRequestHandler.java:173)
    at i5.las2peer.connectors.webConnector.WebConnectorRequestHandler.handle(WebConnectorRequestHandler.java:147)
    at i5.las2peer.connectors.webConnector.WebConnectorRequestHandler.handleGET(WebConnectorRequestHandler.java:119)
    at jdk.internal.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:564)
    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80)
    at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680)
    at org.glassfish.jersey.jdkhttp.JdkHttpHandlerContainer.handle(JdkHttpHandlerContainer.java:135)
    at jdk.httpserver/com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:77)
    at jdk.httpserver/sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:82)
    at jdk.httpserver/com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:80)
    at jdk.httpserver/sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:692)
    at jdk.httpserver/com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:77)
    at jdk.httpserver/sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:664)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
    at java.base/java.lang.Thread.run(Thread.java:832)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching api.learning-layers.eu found.
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
    at java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1982)
    at java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1977)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1976)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1544)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1528)
    at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:308)
    at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:674)
    at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:627)
    at i5.las2peer.connectors.webConnector.util.AuthenticationManager.retrieveOidcUserInfo(AuthenticationManager.java:208)
    ... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching api.learning-layers.eu found.
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1600)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1528)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
    at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:663)
    ... 39 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching api.learning-layers.eu found.
    at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:412)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
    ... 56 more
2022 Sep 24 15:36:38 FINER i5.las2peer.p2p.PastryNodeImpl: CONNECTOR_ERROR (-9100)  <0x418909..>/reqbaz/137.226.232.38:9011 -   -   -   WebConnector: Internal Server Error: Fetching OIDC user info failed

[fxjordan]

The oidc_provider header does not seem to work. The frontend already sets this to https://auth.las2peer.org/o/oauth2, so it should NOT use api.learning-layers.eu.

Upgrading to the latest las2peer version would solve the problem, because the new auth.las2peer.org domain is used by default. However, I'll first try to debug this issue

[fxjordan]

The oidc_provider header is not working because it's removed by the Nginx reverse proxy in front of the Requirements Bazaar service (see https://github.com/rwth-acis/las2peer/issues/161).

Therefore, las2peer is falling back to the default provider, which is still api.learning-layers.eu in version 1.1.2.

[fxjordan]

Registration of new users is working again (at least on beta) with fix of #174

[bjadel]

When will the bugfix be rolled out to the instance https://requirements-bazaar.org ?

[fxjordan]

I'll do it today. Sorry for possible inconveniences

[AlexanderNeumann]

Yes, thank you :)

[fxjordan]

The latest release is now deployed. Can you confirm your problem is solved @bjadel

[bjadel]

When I register with a new user, the error no longer occurs. Only when I log in with an existing user the error still exists.

[fxjordan]

The issue with your bja users seems to be something different, so I'm closing this issue (see here https://github.com/rwth-acis/RequirementsBazaar/issues/176)