openid connect custom script

By: Hamdi Bahrini user 23 Feb 2020 at 9:44 p.m. CST

3 Responses
Hamdi Bahrini gravatar
hi community, I created an openid connect client with ACR value ressource owner password credentials script. This script is capable of verifying the password and the otp of a user (concatained together like that "password654102"). When I send authentication requests I get failures despite the script returning true after checking the password and the otp in ldap. When I send requests with only the password (without concatainating the otp) I get successes (but the script return false). I wonder how to force the openid client to use only the script. According to [Gluu documentation](https://gluu.org/docs/ce/admin-guide/custom-script/#resource-owner-password-credentials), it is possible to change the result of an authentication using a ressource owner password credentials script. Im using a perl module to communicate with Gluu APIs Failure ``` rlm_perl: scope=openid&username=test&password=testtest417697&grant_type=password &acr_values=resource_owner_password_credentials_example &client_id=%40!6DD5.2317.2C71.B3BD!0001!3F53.7A78!0008!A175.044F.25BC.60AA &client_secret=DvpuedP4JenA7lEodCtPMrkK rlm_perl: HTTP/1.1 401 Unauthorized rlm_perl: Cache-Control: no-store rlm_perl: Connection: close rlm_perl: Date: Mon, 24 Feb 2020 03:24:29 GMT rlm_perl: Pragma: no-cache rlm_perl: Server: Jetty(9.4.12.v20180830) rlm_perl: Content-Length: 586 rlm_perl: Content-Type: application/json rlm_perl: Client-Date: Mon, 24 Feb 2020 03:24:26 GMT rlm_perl: Client-Peer: 192.168.56.5:443 rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=qc/ST=qc/L=mtl/O=hamdi/CN=gluu-testserver/emailAddress=hamdi@hamdi.com rlm_perl: Client-SSL-Cert-Subject: /C=qc/ST=qc/L=mtl/O=hamdi/CN=gluu-testserver/emailAddress=hamdi@hamdi.com rlm_perl: Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Xss-Protection: 1; mode=block rlm_perl: rlm_perl: {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client a uthentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unautho rized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) stat us code, and include the WWW-Authenticate resp... ``` Success ``` rlm_perl: scope=openid&username=test&password=testtest&grant_type=password &acr_values=resource_owner_password_credentials_example &client_id=%40!6DD5.2317.2C71.B3BD!0001!3F53.7A78!0008!A175.044F.25BC.60AA &client_secret=DvpuedP4JenA7lEodCtPMrkK rlm_perl: HTTP/1.1 200 OK rlm_perl: Cache-Control: no-store rlm_perl: Connection: close rlm_perl: Date: Mon, 24 Feb 2020 03:40:04 GMT rlm_perl: Pragma: no-cache rlm_perl: Server: Jetty(9.4.12.v20180830) rlm_perl: Content-Length: 166 rlm_perl: Content-Type: application/json rlm_perl: Client-Date: Mon, 24 Feb 2020 03:40:00 GMT rlm_perl: Client-Peer: 192.168.56.5:443 rlm_perl: Client-Response-Num: 1 rlm_perl: Client-SSL-Cert-Issuer: /C=qc/ST=qc/L=mtl/O=hamdi/CN=gluu-testserver/emailAddress=hamdi@hamdi.com rlm_perl: Client-SSL-Cert-Subject: /C=qc/ST=qc/L=mtl/O=hamdi/CN=gluu-testserver/emailAddress=hamdi@hamdi.com rlm_perl: Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 rlm_perl: Client-SSL-Socket-Class: IO::Socket::SSL rlm_perl: Client-SSL-Warning: Peer certificate not verified rlm_perl: Strict-Transport-Security: max-age=31536000; includeSubDomains rlm_perl: X-Content-Type-Options: nosniff rlm_perl: X-Xss-Protection: 1; mode=block rlm_perl: rlm_perl: {"access_token":"4c030bf8-7dc9-4ca9-af93-6af8fcc1a08e","token_type":"bearer","expires_in":299,"refresh_token":"f8c6f75c-a822-4ed1-810c-dc071bfaae98","scope":"openid"} ```
CentOS 7.0
closed

Answers

By Mohit Mali staff 24 Feb 2020 at 5:21 a.m. CST

Copy
Mohit Mali gravatar
hi Ham, Thank you for reaching out gluu support , I will assist you on this ticket, Can you please explain what you are trying to achieve. Thanks and Regards Mohit Mali

By Hamdi Bahrini user 24 Feb 2020 at 8:38 p.m. CST

Copy
Hamdi Bahrini gravatar
Hi Mohit, Im trying to implement two factor authentication with an openid connect client. My request contain: username and a composed password. The password is composed of the user password and the user OTP concatenated together (ex: qwerty568794). To authenticate a user, im using a ressource owner password credentials script (to split the composed password to the user password and the user OTP and verify them one by one). There is no problem with my script, it return True when the password and the OTP are good but the authentication return failure. The script im using is configured in the openid connect client under default ACR values.

By Mohit Mali staff 25 Feb 2020 at 6:59 a.m. CST

Copy
Mohit Mali gravatar
Hi Ham, custom script is out of free community support for authentication script customization, need to buy Gluu VIP support subscription in order to assist you on this ticket. If you need help me buying Gluu VIP susbcription or need to arrange call , please feel free to revert. Thanks and Regards Mohit Mali

Post an answer