Custom script to authenticate SQL User

By: Hannah McKee user 24 Nov 2016 at 10:12 a.m. CST

4 Responses
Hannah McKee gravatar
I have created a custom script which will call an API which fronts a SQL database. For the time being, the only attribute we are concerned about from the SQL db is the field "PartyGID". When logging in to a client which uses this custom script, I get the error "Please use correct username and password", but I'm not sure what I'm missing. Ideally, we would like to avoid having to create a user in Gluu - any help would be appreciated. **Custom Script** ``` import urllib import json import sys import org.apache.http.entity.ContentType; from org.jboss.seam.security import Identity from org.xdi.model.custom.script.type.auth import PersonAuthenticationType from org.xdi.oxauth.service import UserService from org.xdi.oxauth.model.common import SessionState from org.xdi.oxauth.service import SessionStateService from org.xdi.oxauth.model.config import Constants from org.xdi.util import StringHelper from org.xdi.oxauth.service.net import HttpService from org.jboss.seam.contexts import Contexts import java class PersonAuthentication(PersonAuthenticationType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "CP06 Test Client. Initialization" print "CP06 Test Client. Initialized successfully" return True def destroy(self, configurationAttributes): print "CP06 Test Client. Destroy" print "CP06 Test Client. Destroyed successfully" return True def getApiVersion(self): return 1 def isValidAuthenticationMethod(self, usageType, configurationAttributes): return True def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes): return None def authenticate(self, configurationAttributes, requestParameters, step): print "CP06 Test Client. Authenticating user" context = Contexts.getEventContext() sessionAttributes = context.get("sessionAttributes") identifierName = configurationAttributes.get("identifierAttribute").getValue2() authServiceUrl = configurationAttributes.get("authServiceURL").getValue2() print "CP06 Test Client. IdentifierName: ", identifierName print "CP06 Test Client. AuthServiceUrl: ", authServiceUrl if (sessionAttributes != None) and sessionAttributes.containsKey(identifierName): print "CP06 Test Client. " + identifierName + " previously set - User authenticated" return True if (step == 1): print "CP06 Test Client. Authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): # TODO: Remove this bad boy - only for debugging print "CP06 Test Client. Authenticating credentials: ", user_name, user_password httpService = HttpService.instance() print "CP06 Test Client. Creating httpClient" http_client = httpService.getHttpsClient() print "CP06 Test Client. Setting request body" auth_request_body = "{\"username\": \"testUser\", \"password\": \"Passw0rd\"}" try: print "CP06 Test Client. Sending request to authentication service" print "CP06 Test Client. AuthRequestBody: ", auth_request_body request_headers = { "Content-type" : "application/json; charset=UTF-8", "Accept" : "application/json" } http_service_response = httpService.executePost(http_client, authServiceUrl, None, request_headers, auth_request_body); print "CP06 Test Client. HTTP_Service_Response: ", http_service_response http_response = http_service_response.getHttpResponse() print "CP06 Test Client. Http_Response: ", http_response except: print "CP06 Test Client. Authenticate User credentials. Exception: ", sys.exc_info()[1] return False try: if not httpService.isResponseStastusCodeOk(http_response): print "CP06 Test Client. Invalid response from Authentication Server: ", str(http_response.getStatusLine().getStatusCode()) httpService.consume(http_response) return False print "CP06 Test Client. Response from Authentication Server: " + str(http_response.getStatusLine().getStatusCode()) response_bytes = httpService.getResponseContent(http_response) response_string = httpService.convertEntityToString(response_bytes) print "CP06 Test Client. Response from Authentication Server: " + response_string httpService.consume(http_response) except: print "CP06 Test Client. Authenticate User credentials. Exception: ", sys.exc_info()[1] return False finally: http_service_response.closeConnection() if response_string == None: print "CP06 Test Client. Got empty response from Authentication Server" return False try: print "CP06 Test Client. Loading response into JSON" response = json.loads(response_string) print "CP06 Test Client. JSON String: " + str(response) partyGid = str(response["PartyID"]) context.set(identifierName, partyGid) print "CP06 Test Client. Party GID: " + partyGid logged_in = True except: print "CP06 Test Client. Parse Authentication Response. Exception: ", sys.exc_info()[1] return False try: # Set Authenticated User Session Attribute sessionStateService = SessionStateService.instance() sessionState = sessionStateService.getSessionState(); if sessionState is None: sessionState = sessionStateService.generateAuthenticatedSessionState(partyGid) sessionStateService.setSessionStateAuthenticated(sessionState, partyGid) sessionState = sessionStateService.getSessionState(); sessionIdAttributes = sessionState.getSessionAttributes() print "CP06 Test Client. Session ID Attributes: " + str(sessionState) #sessionState = sessionStateService.generateAuthenticatedSessionState(partyGid) #if sessionState is not None: # sessionIdAttributes = sessionState.getSessionAttributes() # print "CP06 Test Client. Session ID Attributes: " + str(sessionState) # sessionIdAttributes.put(Constants.AUTHENTICATED_USER, user_name) # sessionStateService.updateSessionState(sessionState) # Get Session state and updated attributes for debugging purposes # sessionState = sessionStateService.getSessionState(); # sessionIdAttributes = sessionState.getSessionAttributes() # print "CP06 Test Client. Updated Session ID Attributes: " + str(sessionState) except: print "CP06 Test Client. Update Session State. Exception: ", sys.exc_info()[1] return False if (not logged_in): return False print "CP06 Test Client. User successfully authenticated" return True else: print "CP06 Test Client. Unknown step requested" return False def prepareForStep(self, configurationAttributes, requestParameters, step): if (step == 1): print "CP06 Test Client. Prepare for Step 1" return True else: return False def getExtraParametersForStep(self, configurationAttributes, step): return None def getCountAuthenticationSteps(self, configurationAttributes): return 1 def getPageForStep(self, configurationAttributes, step): return "" def logout(self, configurationAttributes, requestParameters): return True ``` **Oxatuh_Script.log (tail)** ``` CP06 Test Client. Session ID Attributes: SessionState, dn='uniqueIdentifier=39eade3c-edd3-4c04-b0a9-11b8c271f10a,ou=session,o=@!67DA.D9A5.E289.D773!0001!F485.929A,o=gluu', id='39eade3c-edd3-4c04-b0a9-11b8c271f10a', isJwt=false, lastUsedAt=Thu Nov 24 14:48:08 UTC 2016, userDn='12345678', authenticationTime=Thu Nov 24 14:48:08 UTC 2016, state=authenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={scope=openId nanthealth_user, response_type=code, redirect_uri=https://hmckee440p:444/NantHealthSSOPOC/welcome, remote_ip=10.38.63.156, auth_step=1, client_id=@!67DA.D9A5.E289.D773!0001!F485.929A!0008!642F.DF82, acr=CP06TestClient, acr_values=cp06testclient}, persisted=false} 2016-11-24 14:48:08,872 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-299) CP06 Test Client. User successfully authenticated ``` **Oxauth.log** ``` Caused by: Connection exception (Failed to lookup entry: The provided value "12345678" could not be parsed as a valid distinguished name because the last non-space character was part of the attribute name '12345678') ```
CentOS65
closed

Answers

By Aliaksandr Samuseu staff 24 Nov 2016 at 10:27 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Hannah. >Ideally, we would like to avoid having to create a user in Gluu - any help would be appreciated. Not sure it's possible. Gluu expects any user has an LDAP entry locally. During different flows it will be used as a source of attributes to send to remote party. I also remember that our developer mentioned before, that during authentication a check for `gluuStatus` attribute of logging in user is performed in local directory, to make sure it has "active" assigned to to it.

By William Lowe user 24 Nov 2016 at 11:38 a.m. CST

Copy
William Lowe gravatar
Hi Hannah, This is an interesting topic. We'd be interested to help but it's an advanced topic and outside of the scope of community support. If we decide to investigate this on our own time we'll let you know our findings. Thanks, Will

By Yuriy Movchan staff 25 Nov 2016 at 2:10 a.m. CST

Copy
Yuriy Movchan gravatar
It's not possible without user enrollment in local LDAP. You can do enrollment from the script. Moreover you can create user with dummy attributes and map it via oxExternalUid attribute to your partyGid.

By Michael Schwartz Account Admin 25 Nov 2016 at 1:14 p.m. CST

Copy
Michael Schwartz gravatar
It's true that you'd need at least a minimal user entry in the LDAP server for each identity. However, if we are just talking about OpenID Connect (not SAML), you could write a script for "dynamic claims" if you wanted the Gluu Server to query a database to populate the user claims available to the OpenID Connect client.

Post an answer