After hidden default oxAuth scopes from Discovery I can't login in UI anymore

By: Rui Engana Account Admin 11 Aug 2020 at 4:10 a.m. CDT

11 Responses
Rui Engana gravatar
After going into OIDC > Scopes and updating all to be hidden from Discovery except openid, I can't login in Admin UI anymore. I get error "Login failed, oxTrust wasn't allowed to access user data" For reference, here is my current Discovery ``` { "request_parameter_supported" : true, "token_revocation_endpoint" : "https://gluu.redacted/oxauth/restv1/revoke", "introspection_endpoint" : "https://gluu.redacted/oxauth/restv1/introspection", "claims_parameter_supported" : true, "issuer" : "https://gluu.redacted", "userinfo_encryption_enc_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "authorization_endpoint" : "https://gluu.redacted/oxauth/restv1/authorize", "service_documentation" : "http://gluu.org/docs", "id_generation_endpoint" : "https://gluu.redacted/oxauth/restv1/id", "scope_to_claims_mapping" : [ { "openid" : [ ] }, { "https://gluu.redacted/oxauth/restv1/uma/scopes/scim_access" : [ ] }, { "https://gluu.redacted/oxauth/restv1/uma/scopes/passport_access" : [ ] }, { "oxtrust-api-write" : [ ] }, { "accounts" : [ ] }, { "oxtrust-api-read" : [ ] } ], "op_policy_uri" : "http://ox.gluu.org/doku.php?id=oxauth:policy", "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "private_key_jwt" ], "tls_client_certificate_bound_access_tokens" : true, "response_modes_supported" : [ "form_post", "fragment", "query" ], "backchannel_logout_session_supported" : true, "token_endpoint" : "https://gluu.redacted/oxauth/restv1/token", "response_types_supported" : [ "id_token code" ], "request_uri_parameter_supported" : false, "backchannel_user_code_parameter_supported" : false, "grant_types_supported" : [ "client_credentials", "implicit", "refresh_token", "authorization_code" ], "ui_locales_supported" : [ "en", "bg", "de", "es", "fr", "it", "ru", "tr" ], "userinfo_endpoint" : "https://gluu.redacted/oxauth/restv1/userinfo", "op_tos_uri" : "http://ox.gluu.org/doku.php?id=oxauth:tos", "auth_level_mapping" : { "1" : [ "casa" ], "-1" : [ "simple_password_auth" ] }, "require_request_uri_registration" : false, "id_token_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "frontchannel_logout_session_supported" : true, "claims_locales_supported" : [ "en" ], "clientinfo_endpoint" : "https://gluu.redacted/oxauth/restv1/clientinfo", "request_object_signing_alg_values_supported" : [ "PS256" ], "request_object_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "session_revocation_endpoint" : "https://gluu.redacted/oxauth/restv1/revoke_session", "check_session_iframe" : "https://gluu.redacted/oxauth/opiframe.htm", "scopes_supported" : [ "https://gluu.redacted/oxauth/restv1/uma/scopes/passport_access", "https://gluu.redacted/oxauth/restv1/uma/scopes/scim_access", "oxtrust-api-write", "oxtrust-api-read", "openid", "accounts" ], "backchannel_logout_supported" : true, "acr_values_supported" : [ "simple_password_auth", "casa" ], "request_object_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "display_values_supported" : [ "page", "popup" ], "userinfo_signing_alg_values_supported" : [ "PS256" ], "claim_types_supported" : [ "normal" ], "userinfo_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "end_session_endpoint" : "https://gluu.redacted/oxauth/restv1/end_session", "revocation_endpoint" : "https://gluu.redacted/oxauth/restv1/revoke", "backchannel_authentication_endpoint" : "https://gluu.redacted/oxauth/restv1/bc-authorize", "token_endpoint_auth_signing_alg_values_supported" : [ "PS256" ], "frontchannel_logout_supported" : true, "jwks_uri" : "https://gluu.redacted/oxauth/restv1/jwks", "subject_types_supported" : [ "public", "pairwise" ], "id_token_signing_alg_values_supported" : [ "PS256" ], "registration_endpoint" : "https://gluu.redacted/oxauth/restv1/register", "id_token_token_binding_cnf_values_supported" : [ "tbh" ] } ```
Rhel 8.0
closed

Answers

By Milton Ch. staff 11 Aug 2020 at 8:40 a.m. CDT

Copy
Milton Ch. gravatar
Yeah, oxTrust uses these scopes by default `openid profile email user_name` and now that you removed many of them, the authentication can't be processed. Do you have a way to access to LDAP? I think that would be a way to re-set those values.

By Rui Engana Account Admin 11 Aug 2020 at 9:30 a.m. CDT

Copy
Rui Engana gravatar
Hi Milton, Thank you for quick reply. We are using LDAP Store that ships with Gluu, are you able to provide instructions to access and restore such values? On another note, I understand Gluu Admin UI (oxTrust) is currently a pre registered client of the OP itself, however, in our banking use case we want to define an security perimeter exclusively for trusted partners and remove from the OP any option that is not relevant for such security perimeter, in our view this would only increase potential surface attack. Are there any plans to decouple Admin UI from it completely? Thanks, Rui

By Michael Schwartz Account Admin 11 Aug 2020 at 11:37 a.m. CDT

Copy
Michael Schwartz gravatar
Assigning this to @Thomas Gasmyr.Mougang. This is a bug... oxTrust knows the scopes it needs, so it does not need to use the configuration endpoint to verify their presence. Opened this bug report: [https://github.com/GluuFederation/oxTrust/issues/2016](https://github.com/GluuFederation/oxTrust/issues/2016)

By Thomas Gasmyr Mougang staff 11 Aug 2020 at 2:43 p.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
@Rui can you share the log(oxtrust) when the error occurs?

By Thomas Gasmyr Mougang staff 11 Aug 2020 at 3:01 p.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
Was not able to replicate this issue. We need more information and logs.

By Rui Engana Account Admin 11 Aug 2020 at 5:21 p.m. CDT

Copy
Rui Engana gravatar
Hi Thomas, Try to go to all scopes, mark all excluded from Discovery except openid. For openid scope, remove all claims. Restart server.

By Rui Engana Account Admin 12 Aug 2020 at 1:54 a.m. CDT

Copy
Rui Engana gravatar
Thinking throughly, not sure if this is a bug... I explicitly removed all claims from openid scope so if oxTrust uses oxAuth for tokens, it's expected oxTrust can't get such data. The key discovery fact here for me is that oxTrust is using the same oxAuth I was configuring for it's own access. Meaning, during my stripped down exercise of oxAuth I, unaware of above dependency, removed critical elements for oxTrust to function (although not critical for my use case). I understand the design, but this dependency is unexpected and a potential blocker for us.

By Thomas Gasmyr Mougang staff 12 Aug 2020 at 5:04 a.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
> For openid scope, remove all claims. What is the goal when you remove all claims attached to that scope. It is clear that removing the claims will lead to serious issues.

By Rui Engana Account Admin 12 Aug 2020 at 5:18 a.m. CDT

Copy
Rui Engana gravatar
I understand :) However, for our use case we just need a custom claim for openid scope in addition to standard claims imposed by FAPI compliance. Happy to discuss more details privately. PS: I think Mike was going to flag our account as partner so we can continue discussions privately.

By Thomas Gasmyr Mougang staff 12 Aug 2020 at 5:22 a.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
Okay

By Rui Engana Account Admin 18 Aug 2020 at 3:37 a.m. CDT

Copy
Rui Engana gravatar
I think this should raise an enhancement to decouple oxTrust from oxAuth and remove dependecy of own oxAuth OIDC configuration. Maybe connect to via API Key or any other mechanism that doesn't depend on the OIDC itself.

Post an answer