Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ldap user creation issue with oauth2 #137

Open
gch-meoss opened this issue Aug 19, 2024 · 2 comments
Open

ldap user creation issue with oauth2 #137

gch-meoss opened this issue Aug 19, 2024 · 2 comments

Comments

@gch-meoss
Copy link

gch-meoss commented Aug 19, 2024

Hello,

I have an issue when I to automatically create an user with oauth2 connection.

I used the georchestra 24.0 with docker (and the gateway module version 1.1.0)

this is my security.yml file :

georchestra:
  gateway:
    security:
      create-non-existing-users-in-l-d-a-p: true
      enableRabbitmqEvents: true
      oauth2:
        enabled: true
      ldap:
        default:
          enabled: true
          extended: true
          url: ldap://${ldapHost:localhost}:${ldapPort:389}/
          baseDn: ${ldapBaseDn:dc=georchestra,dc=org}
          adminDn: ${ldapAdminDn:cn=admin,dc=georchestra,dc=org"}
          adminPassword: ${ldapAdminPassword:secret}
          users:
            rdn: ${ldapUsersRdn:ou=users}
            searchFilter: ${ldapUserSearchFilter:(uid={0})}
            pendingUsersSearchBaseDN: ou=pendingusers
            protectedUsers: geoserver_privileged_user
          roles:
            rdn: ${ldapRolesRdn:ou=roles}
            searchFilter: ${ldapRolesSearchFilter:(member={0})}
          orgs:
            rdn: ${ldapOrgsRdn:ou=orgs}
            protectedRoles: ADMINISTRATOR, GN_.*, ORGADMIN, REFERENT, USER, SUPERUSER

spring:
  security:
    oauth2:
      client:
        registration:
          cas-oauth2:
            client-name: "My SSO"
            client-id: 18
            client-secret: ...
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/cas-oauth2"
            state: vzs...izb
        provider:
          cas-oauth2:
            authorization-uri: https://sso_fqdn/oauth/authorize
            token-uri: https://sso_fqdn/api/oauth/token
            user-info-uri: https://sso_fqdn/api/user
            user-name-attribute: id

the https://sso_fqdn/api/oauth/token give me the following bearer access token :

{
 "token_type": "Bearer",
 "expires_in": 1296000,
 "access_token": "eyJ0e..duPec",
 "refresh_token": "def...892871b"
}

the decoded access_token looks like :

{
	"typ":"JWT",
	"alg":"RS256"
}
.
{
	"aud":"18",
	"jti":"31cf0a...033c",
	"iat":1723557200.006598,
	"nbf":1723557200.006601,
	"exp":1724853199.99703,
	"sub":"130",
	"scopes":[]
}
...

the user-info-uri end point looks like :

{
	id=127,
	email=..@..,
	first_name=...,
	company=autre,
	last_name=...
	details={
		ab_testing_lot1=[..., ...],
		ab_testing_lot3=[..., ...],
		allowed_parcels=false,
		variables=[..., ...],
		onBoardingFinished=true,
		mocked=false
	},
	bookmarks={
		variables=[..., ...],
		favorites=[],
		reference={
			uuid=0147a99a...6f7804,
			type=waterbody
		}
	},
	is_admin=false,
	created_at=2024-08-13T11:55:43.000000Z,
	activated_at=2024-08-13 14:00:00,
	is_producer=true,
	email_verified_at=2024-08-13T11:56:01.000000Z
}

with the option "create-non-existing-users-in-l-d-a-p: false" no particular isue, the authen is OK

with option "create-non-existing-users-in-l-d-a-p: true", I have the following issue in logs:

ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [127], Granted Authorities: [[ROLE_USER]], User Attributes: [
{
	id=127,
	email=..@..,
	first_name=...,
	company=autre,
	last_name=...
	details={
		ab_testing_lot1=[..., ...],
		ab_testing_lot3=[..., ...],
		allowed_parcels=false,
		variables=[..., ...],
		onBoardingFinished=true,
		mocked=false
	},
	bookmarks={
		variables=[..., ...],
		favorites=[],
		reference={
			uuid=0147a99a...6f7804,
			type=waterbody
		}
	},
	is_admin=false,
	created_at=2024-08-13T11:55:43.000000Z,
	activated_at=2024-08-13 14:00:00,
	is_producer=true,
	email_verified_at=2024-08-13T11:56:01.000000Z
}
], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@72a3475f'

org.georchestra.gateway.security.oauth2  : Mapping DefaultOAuth2User authentication token from provider cas-oauth2
o.g.g.s.RolesMappingsUserCustomizer      : Computed additional roles for ROLE_USER: []
o.s.ldap.core.LdapTemplate               : The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
o.s.l.c.support.AbstractContextSource    : Got Ldap context on server 'ldap://ldap:389/dc=georchestra,dc=org'
o.s.l.c.support.AbstractContextSource    : Got Ldap context on server 'ldap://ldap:389/dc=georchestra,dc=org'
o.s.ldap.core.LdapTemplate               : The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
o.s.l.c.support.AbstractContextSource    : Got Ldap context on server 'ldap://ldap:389/dc=georchestra,dc=org'
o.s.l.c.support.AbstractContextSource    : Got Ldap context on server 'ldap://ldap:389/dc=georchestra,dc=org'
a.w.r.e.AbstractErrorWebExceptionHandler : [ffe8807e-7] Resolved [NullPointerException: Cannot invoke "String.length()" because the return value of "org.georchestra.ds.users.Account.getGivenName()" is null] for HTTP GET /whoami
a.w.r.e.AbstractErrorWebExceptionHandler : [ffe8807e-7]  500 Server Error for HTTP GET "/whoami"

java.lang.NullPointerException: Cannot invoke "String.length()" because the return value of "org.georchestra.ds.users.Account.getGivenName()" is null
        at org.georchestra.ds.users.AccountDaoImpl.checkMandatoryFields(AccountDaoImpl.java:400) ~[georchestra-ldap-account-management-24.0.0.jar:na]
        Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:

Have you an idea why org.georchestra.ds.users.Account.getGivenName() is crashing ? is it missing an id_token in the auth token ? or some other attributes in access_token ?

I also tried to add various sprint > security > oidc config but without any success

spring:
  security:
    oidc:
      claims:
        id.path: "$.sub"
        organization.path: "$.sub"
        given_name.path: "$.last_name"
        family_name.path: "$.first_name"
        email.path: "$.email"
        roles.path: "$.sub"

spring:
  security:
    oidc:
      claims:
        id.path: "$.id" 
        organization.path: "$.sub"
        given_name.path: "$.sub"
        family_name.path: "$.sub"
        email:
          json.path:
              - "$.concat($.sub, \"@\", $.sub)"
        roles.path: "$.sub"
@f-necas
Copy link
Collaborator

f-necas commented Nov 8, 2024

Hi gch-meoss, sorry for the very late response.

There's a ldap extended configuration that would fix your problem : https://github.com/georchestra/georchestra-gateway/blob/main/docs/pre-authentication.adoc#account-creation

@gch-meoss
Copy link
Author

thx you very much, i will check that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants