Having trouble manually registering openID clients

By: Neemesh Patel user 21 Sep 2016 at 9:14 a.m. CDT

4 Responses
Neemesh Patel gravatar
Hello, I'm trying to set up a test apache site which is protected by openID connect so we can have a test client to check the Gluu IdP is functioning correctly. I am looking to do this manually as we haven't installed the dynamic registration on the Gluu server. I've tried to follow the guide [here](https://www.gluu.org/docs/integrate/ubuntu-installation/), but am having some errors on Gluu when I try to use it. When I try to access the apache site, I'm redirected to login, and then redirected again after login but at this page the browser doesn't display anything but a blank page (more specifically this is /oxauth/seam/resource/restv1/oxauth/authorize). Looking at oxauth.log I see the below error ``` 2016-09-21 14:03:27,344 ERROR [xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] java.lang.NullPointerException at org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorization(AuthorizeRestWebServiceImpl.java:503) at org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorizationGet(AuthorizeRestWebServiceImpl.java:103) at sun.reflect.GeneratedMethodAccessor1160.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.seam.util.Reflections.invoke(Reflections.java:22) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.resteasy.ResteasyContextInjectionInterceptor.aroundInvoke(ResteasyContextInjectionInterceptor.java:59) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:77) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185) at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103) at org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl_$$_javassist_seam_48.requestAuthorizationGet(AuthorizeRestWebServiceImpl_$$_javassist_seam_48.java) at sun.reflect.GeneratedMethodAccessor1159.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) at org.jboss.seam.resteasy.ResteasyResourceAdapter$1.process(ResteasyResourceAdapter.java:145) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) at org.jboss.seam.resteasy.ResteasyResourceAdapter.getResource(ResteasyResourceAdapter.java:120) at org.jboss.seam.servlet.SeamResourceServlet.service(SeamResourceServlet.java:80) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:63) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.xdi.oxauth.auth.AuthenticationFilter.processSessionAuth(AuthenticationFilter.java:144) at org.xdi.oxauth.auth.AuthenticationFilter.access$500(AuthenticationFilter.java:62) at org.xdi.oxauth.auth.AuthenticationFilter$1.process(AuthenticationFilter.java:117) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:76) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) ``` I'm sure it's something I've set up wrong but I was hoping someone could help me in how to manually set up a client on Gluu. Below is the process I used. ### Manually adding client to Gluu 1. OpenID Connect>Clients page. Click "Add client" 1. Added an internal client name (i.e. "Test apache site") 1. Add Client secret "newsecret" 1. Add response types "code", "token", "id_token" 1. Add Login URI "https://server1.company.com/dynamic/fake_redirect_uri " 1. Add scope "email" 1. Click "Add" to save the client to Gluu 1. This then generates an "iNum" which I copy down to use as a ClientID in apache ### Apache setup steps 1. Beyond normal apache installation and SSL setup 1. Setup the protected resource files as per instructions (in /var/www/html/protected) 1. Installed auth_openidc and enabled the module 1. Configured the module (auth_openidc.conf) and added the information mention below to the end of the file. The "OIDCClientID" in the config is the "iNum" retrieved from Gluu previously 1. Restart apache 1. In my browser, go to https://server1.company.com:443/dynamic My enabled apache default-ssl.conf file looks like this ``` <VirtualHost *:443> ServerName server1.company.com DocumentRoot /var/www/html <Location /dynamic/> AuthType openid-connect Require valid-user </Location> SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost> ``` My auth_openidc.conf file contains the following information ``` OIDCRedirectURI https://server1.company.com/dynamic/fake_redirect_uri OIDCCryptoPassphrase newsecret OIDCProviderMetadataURL https://gluu.company.com/.well-known/openid-configuration OIDCClientID @!DF5D.95BC.627B.BEB6!0001!9A77.81F1!0008!E519.A15F OIDCClientSecret newsecret OIDCResponseType id_token OIDCProviderTokenEndpointAuth client_secret_basic OIDCProviderIssuer https://gluu.company.com OIDCSSLValidateServer Off ``` Can anyone advise on what the issue may be? Thanks
U1404
closed

Answers

By Michael Schwartz Account Admin 21 Sep 2016 at 9:17 a.m. CDT

Copy
Michael Schwartz gravatar
Did you try using dynamic client registration and discovery first? This creates the right files, and then it's easier to edit them after that.

By Neemesh Patel user 21 Sep 2016 at 10:50 a.m. CDT

Copy
Neemesh Patel gravatar
Hi Mike, Dynamic registration wasn't installed initially, but I have followed what you mentioned [here](https://support.gluu.org/installation/installation-of-dynamic-registration-post-main-installation-3255/) where you drop in the oxauth-rp.war file (please correct me if this is not the web app used for dynamic registration and if I'm misunderstanding). I tried 2.4.3 initially (to match the version of Gluu we're running) and then 2.4.4 when I wasn't successful with that, but I wasn't successful with that one either. When I access https://gluu.company.com/oxauth-rp the application looks to load and I am presented with an interface. When I enter "https://gluu.company.com" into the openID connect discovery and click submit, I can see return information in "Identifier Normalization", "Webfinger request", "Webfinger response", "configuration request" and "configuration response". Even though information is returned, it's worth noting the following entry in the oxauth-rp.log when I click submit: ``` 2016-09-21 15:38:25,428 WARN [org.apache.http.client.protocol.ResponseProcessCookies] Cookie rejected [JSESSIONID="9BE50B31AD8A2C3D3708488B1A89D3F9", version:0, domain:gluu.company.com, path:/oxauth/, expiry:null] Illegal path attribute "/oxauth/". Path of origin: "/.well-known/webfinger" 2016-09-21 15:38:25,646 WARN [org.apache.http.client.protocol.ResponseProcessCookies] Cookie rejected [JSESSIONID="E253734292CE3571B82131E62B66ACA1", version:0, domain:gluu.company.com, path:/oxauth/, expiry:null] Illegal path attribute "/oxauth/". Path of origin: "/.well-known/openid-configuration" 2016-09-21 15:38:25,706 ERROR [org.jboss.seam.contexts.Contexts] could not discover transaction status ``` After this I enter the information into the "Dynamic Client Registration" area. - Registration endpoint: Pre-populates with https://gluu.company.com/oxauth/seam/resource/restv1/oxauth/register - Redirect URIs: https://server1.company.com/dynamic/fake_redirect_uri - Response types: Code, Token, ID_Token all selected - Grant types: Authorization_code selected - Application type: Web - Client name: Test app - Subject type - Token endpoint auth sining alg: Selected first option from each dropdown - Default maximum authntiation age: 300 I then click submit, you see a flash of a "loading" string in the top right and then nothing appears to happen (no new entries appear in the Gluu openID connect>clients area). In the oxauth-rp.log it logs the following when you click submit ``` 2016-09-21 15:45:51,646 ERROR [org.jboss.seam.contexts.Contexts] could not discover transaction status ``` Just in case I am not understanding something, these are the sequence of steps/events followed to install oxauth-rp:- 1. Downloaded oxauth-rp.war 2.4.3/2.4.4 from your link 1. Renamed them to oxauth-rp.war (default name includes the version number) 1. Copied them to the server (/opt/gluu-server-2.4.3/opt/apache-tomcat-7.0.65/webapps) 1. Restarted Gluu server 1. With my browser I accessed this via https://gluu.company.com/oxauth-rp

By Neemesh Patel user 22 Sep 2016 at 7:44 a.m. CDT

Copy
Neemesh Patel gravatar
Hi Zamil, I was using the Ubuntu guide linked in my first post as that's what O/S our server is using (https://www.gluu.org/docs/integrate/ubuntu-installation/), but I think I've got things working now. There was two issues:- - The first was having "JWS alg Algorithm for signing the ID token" and "JWE alg algorithm for encrypting the ID token" enabled, once I disabled these I was then sent to Apache correctly albeit Apache was complaining about me being unauthorised still - The second problem was having the shibboleth module enabled at the same time as openID. Once I disabled that things worked as expected. I'll probably revisit these points once we're further along the development path but for now I have what I need so please feel free to close this ticket. Thanks for yours and Mike's time and assistance.

Post an answer