FIDO2 Identity endpoint searching wrong server

By: Jason Ajmo user 13 Feb 2019 at 1:14 p.m. CST

11 Responses
Jason Ajmo gravatar
## Background Context: I have two LDAP servers: the local one that Gluu comes with, and a remote one used in cache refresh for user authentication. ## Expected Behavior When requesting `GET /identity/restv1/scim/v2/FidoDevices`, Gluu will search the proper LDAP server where the FIDO authentication data is stored. ## Actual Behavior Gluu reaches out to the remote LDAP server, which has no knowledge of user's FIDO tokens. This was verified using a PCAP on the remote LDAP server.
Ubuntu 16.0
closed

Answers

By William Lowe user 13 Feb 2019 at 1:16 p.m. CST

Copy
William Lowe gravatar
Thanks for quick follow up! Assigning to a colleague to reproduce and confirm.

By Jason Ajmo user 13 Feb 2019 at 1:20 p.m. CST

Copy
Jason Ajmo gravatar
Great - thanks! Let me know if I can provide any additional information.

By Sahil Arora user 14 Feb 2019 at 6:29 a.m. CST

Copy
Sahil Arora gravatar
Hi Jason, Which LDAP are you using for remote backend CR ? I will try to reproduce locally. Thanks Sahil

By Jason Ajmo user 14 Feb 2019 at 7:52 a.m. CST

Copy
Jason Ajmo gravatar
Sahil, The backend is a Microsoft Active Directory server.

By Yuriy Movchan staff 14 Feb 2019 at 12:33 p.m. CST

Copy
Yuriy Movchan gravatar
It's not clear how it's possible. `/identity` uses local LDAP server for all services including SCIM. oxTrust uses Remote LDAP only to import user data to local LDAP. Can you enable `DEBUG` error level in oxTrust and try to reproduce this issue. After that attach this log to this issue, please.

By Jason Ajmo user 15 Feb 2019 at 10:09 a.m. CST

Copy
Jason Ajmo gravatar
Apologies for the repsonse delay. Here are the relevant bits from the logfile. As you can see, a FIDO token is present in the database (shown during login), but the SCIM endpoint returns no tokens. (Can't figure out how to attach files - sorry for the copy/paste) ``` 2019-02-15 15:36:16,789 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:410) - authorizationCode : 8d1fe7ca-15c1-4493-87a0-6653e0cf5aeb 2019-02-15 15:36:16,789 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:413) - scopes : openid user_name email 2019-02-15 15:36:16,790 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:416) - clientID : @!D36A.05BE.EDE7.615B!0001!F886.C2EF!0008!E655.7581 2019-02-15 15:36:16,790 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:445) - Sending request to token endpoint 2019-02-15 15:36:16,790 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:447) - redirectURI : https://gluu.idam.nccoe.org/identity/authentication/getauthcode 2019-02-15 15:36:16,979 DEBUG [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:451) - tokenResponse : org.xdi.oxauth.client.TokenResponse@25f7a5bf 2019-02-15 15:36:16,980 DEBUG [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:457) - tokenResponse.getErrorType() : null 2019-02-15 15:36:16,980 DEBUG [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:460) - accessToken : f30cca36-4a26-4ed4-9c76-ce995d24cc56 2019-02-15 15:36:16,980 DEBUG [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:463) - idToken : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuaWRhbS5uY2NvZS5vcmciLCJhdWQiOiJAIUQzNkEuMDVCRS5FREU3LjYxNUIhMDAwMSFGODg2LkMyRUYhMDAwOCFFNjU1Ljc1ODEiLCJleHAiOjE1NTAyNDg1NzYsImlhdCI6MTU1MDI0NDk3NiwiYWNyIjoiZmlkbzIiLCJhbXIiOlsiMTAiXSwibm9uY2UiOiIwY2RhNGFkYy01MTc1LTRkNDYtOTI1Mi01NTNiZmU5YmI4ZTUiLCJhdXRoX3RpbWUiOjE1NTAyNDIzNDUsImF0X2hhc2giOiJwYzRQY1ppTnVVRGtHM2M4SmFBYlRnIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwic3ViIjoiQCFEMzZBLjA1QkUuRURFNy42MTVCITAwMDEhRjg4Ni5DMkVGITAwMDAhMDBGQy44ODcxIn0.7-po2DsTUpjbr7C2KlAC4fGz0OJxJ8OexLvy-B1zN6o 2019-02-15 15:36:16,981 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:465) - Session validation successful. User is logged in 2019-02-15 15:36:17,061 INFO [qtp1059063940-48380] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:532) - user uid:jason.ajmo 2019-02-15 15:36:17,111 INFO [qtp1059063940-44236] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:129) - Authenticating user 'jason.ajmo' 2019-02-15 15:36:17,117 DEBUG [qtp1059063940-44236] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:160) - Configuring application after user 'jason.ajmo' login 2019-02-15 15:36:17,128 DEBUG [qtp1059063940-44236] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:167) - Get '[manager]' user roles 2019-02-15 15:36:17,129 INFO [qtp1059063940-44236] [org.gluu.oxtrust.action.Authenticator] (Authenticator.java:144) - User 'jason.ajmo' authenticated successfully 2019-02-15 15:36:17,930 DEBUG [oxTrustScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2019-02-15 15:36:17,930 DEBUG [oxTrustScheduler_Worker-3] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2019-02-15 15:36:17,935 DEBUG [oxTrustScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2019-02-15 15:36:17,944 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2019-02-15 15:36:17,945 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LoggerUpdateEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2019-02-15 15:36:17,954 DEBUG [oxTrustScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2019-02-15 15:36:18,029 DEBUG [oxTrustScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2019-02-15 15:36:18,030 DEBUG [oxTrustScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.gluu.oxtrust.service.cdi.event.MetadataValidationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2019-02-15 15:36:18,031 DEBUG [oxTrustScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2019-02-15 15:36:18,031 DEBUG [ForkJoinPool.commonPool-worker-1] [org.gluu.oxtrust.ldap.service.MetadataValidationTimer] (MetadataValidationTimer.java:112) - Starting metadata validation 2019-02-15 15:36:18,031 DEBUG [ForkJoinPool.commonPool-worker-1] [org.gluu.oxtrust.ldap.service.MetadataValidationTimer] (MetadataValidationTimer.java:116) - Metadata validation finished with result: 'false' 2019-02-15 15:36:18,058 DEBUG [oxTrustScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2019-02-15 15:36:18,058 DEBUG [oxTrustScheduler_Worker-4] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.gluu.oxtrust.service.cdi.event.EntityIdMonitoringEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2019-02-15 15:36:18,059 DEBUG [oxTrustScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2019-02-15 15:36:18,244 DEBUG [oxTrustScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2019-02-15 15:36:18,245 DEBUG [oxTrustScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2019-02-15 15:36:18,260 DEBUG [oxTrustScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2019-02-15 15:36:26,286 INFO [qtp1059063940-48283] [org.gluu.oxtrust.service.filter.AuthorizationProcessingFilter] (AuthorizationProcessingFilter.java:78) - Path is protected, proceeding with authorization processing... 2019-02-15 15:36:26,287 INFO [qtp1059063940-48283] [org.gluu.oxtrust.service.uma.ScimUmaProtectionService] (ScimUmaProtectionService.java:107) - ==== SCIM Service call intercepted ==== 2019-02-15 15:36:26,287 INFO [qtp1059063940-48283] [org.gluu.oxtrust.service.uma.ScimUmaProtectionService] (ScimUmaProtectionService.java:108) - Authorization header found 2019-02-15 15:36:26,297 INFO [qtp1059063940-48283] [org.gluu.oxtrust.service.uma.ScimUmaProtectionService] (ScimUmaProtectionService.java:113) - SCIM Test Mode is ACTIVE 2019-02-15 15:36:26,297 DEBUG [qtp1059063940-48283] [org.gluu.oxtrust.service.uma.ScimUmaProtectionService] (ScimUmaProtectionService.java:140) - Validating token 98ab45c0-1740-4dbd-a5f9-76445774669e 2019-02-15 15:36:26,508 INFO [qtp1059063940-48283] [org.gluu.oxtrust.service.filter.AuthorizationProcessingFilter] (AuthorizationProcessingFilter.java:82) - Authorization passed 2019-02-15 15:36:26,668 DEBUG [qtp1059063940-48283] [gluu.oxtrust.service.scim2.interceptor.ReferenceURIInterceptor] (ReferenceURIInterceptor.java:65) - ReferenceURIInterceptor. manage exit 2019-02-15 15:36:26,670 DEBUG [qtp1059063940-48283] [gluu.oxtrust.ws.rs.scim2.FidoDeviceWebService] (FidoDeviceWebService.java:216) - Executing web service method. searchDevices 2019-02-15 15:36:26,671 INFO [qtp1059063940-48283] [gluu.oxtrust.ws.rs.scim2.FidoDeviceWebService] (FidoDeviceWebService.java:337) - Executing search for fido devices using: ldapfilter 'oxId=*', sortBy 'null', sortOrder 'ascending', startIndex '1', count '200' 2019-02-15 15:36:26,673 INFO [qtp1059063940-48283] [gluu.oxtrust.ws.rs.scim2.FidoDeviceWebService] (FidoDeviceWebService.java:355) - Found 0 matching entries - returning 0 ```

By Jose Gonzalez staff 18 Feb 2019 at 7:19 a.m. CST

Copy
Jose Gonzalez gravatar
Hi, > As you can see, a FIDO token is present in the database Not clear... Can you elaborate more? Can you re-post your log, this time using a higher level of verbosity? In oxTrust go to `Configuration` > `Json configuration` > `oxTrust Configuration`, in log level set it to TRACE. Wait 1 min and do your search again. Also, are you passing a `userId` query param in the request or doing a general search?

By Jason Ajmo user 18 Feb 2019 at 8:18 a.m. CST

Copy
Jason Ajmo gravatar
What I mean by that is you can see in the debug log above that is authenticating using a FIDO token, and authentication is successful. Here is the full log: https://gist.github.com/jajmo/4623fd078325d723c1f07b47b9eeddc5 I am not passing a `userId` param. I am doing a general search on the ` /identity/restv1/scim/v2/FidoDevices` endpoint.

By Jose Gonzalez staff 18 Feb 2019 at 10:23 a.m. CST

Copy
Jose Gonzalez gravatar
Hi Jason, Thanks for your additional info. I think the problem stems from the fact that **fido2** was added in CE 3.1.5. Prior to that, we had only fido u2f support. Our endpoint `/identity/restv1/scim/v2/FidoDevices` still retrieves **fido u2f** tokens info only. We'll update our docs to more clearly state that. I think we can add fido 2 for SCIM once we see more adoption. As you may have noticed, Chrome an opera still face problems with fido2.

By Jason Ajmo user 18 Feb 2019 at 12:13 p.m. CST

Copy
Jason Ajmo gravatar
Guess that's the issue then. Thank you all for your help - much appreciated!

By William Lowe user 18 Feb 2019 at 12:57 p.m. CST

Copy
William Lowe gravatar
added an issue for enhancement: https://github.com/GluuFederation/oxTrust/issues/1526

Post an answer