finalist / liferay-oidc-plugin Goto Github PK

Hi,
I 've been able to connect my liferay with an identity provider using your plugin. I need to associate the related groups with the LF user . I developed a post login hooks to get the object OpenIDConnectUserInfo in session as follows:

@component(
immediate = true,
property = { "key=login.events.post" },
service = LifecycleAction.class
)
public class MyPostLogin implements LifecycleAction {

@Override
public void processLifecycleEvent(LifecycleEvent lifecycleEvent) throws ActionException {

	final HttpSession session = lifecycleEvent.getRequest().getSession();

	  Map <String, String> userInfo = (Map <String, String>) session.getAttribute ("OpenIDConnectUserInfo");
	
	if (userInfo != null) {
		// add user group
	}
}

}

but I get a null value .
How can I get user information from the identity provider (keycloak in my case) in my post login hook to add custom logic ?
Thanks.
Roberto

Hi

I've seem sometimes it on log:

16:45:17,622 INFO  [http-nio-8080-exec-26][Liferay70Adapter:55] Provided state parameter '6a4de044ab2e0d5dd245bcaef8408258' does not equal expected '442ce034d59ff6aff3bf09a2ec6ae8c7', cannot
 continue.
13-Apr-2018 16:45:17.623 SEVERE [http-nio-8080-exec-26] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [Main Servlet] in context with path [] threw except
ion
 java.io.IOException: Invalid state parameter
        at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:205)
        at nl.finalist.liferay.oidc.LibFilter.processFilter(LibFilter.java:164)
        at nl.finalist.liferay.oidc.OpenIDConnectFilter.processFilter(OpenIDConnectFilter.java:61)

Using CE 7 GA4 + Tomcat + Azure and plugin 0.4.0

Any suggestion ?

Hello,

i used following setup:

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=http://local.test-server.ag:7070/openam/oauth2/access_token
openidconnect.authorization-location=http://local.test-server.ag:7070/openam/oauth2/authorize
openidconnect.profile-uri=http://local.test-server.ag:7070/openam/oauth2/userinfo
openidconnect.issuer=http://local.test-server.ag:7070/openam/oauth2
openidconnect.client-id=MyId
openidconnect.secret=xxxxxxx
openidconnect.scope=openid email

If I go to http://local.test-server.ag:8080/kundenportal/c/portal/login I get redirect to OpenAM and I can login successfull.
Than I got redirected to Liferay with following Link:

http://local.test-server.ag:8080/kundenportal/c/portal/login?code=e2ab2018-a609-4b8b-b38f-92f96510cd40&scope=openid%20email&iss=http%3A%2F%2Flocal.test-server.ag%3A7070%2Fopenam%2Foauth2&state=70b6ce8b4a2acf6505103e3ccd9ed06a&client_id=MyId

I increased the DEBUG Lebel for nl.finalist in Liferay to ALL

I got following in the Liferay Logs.
Caused by: OAuthProblemException{error='invalid_client', description='Invalid authentication method for accessing this endpoint.', uri='null', state='null', scope='null', redirectUri='null', responseStatus=400, parameters={}}
at org.apache.oltu.oauth2.common.exception.OAuthProblemException.error(OAuthProblemException.java:59)
at org.apache.oltu.oauth2.client.validator.OAuthClientValidator.validateErrorResponse(OAuthClientValidator.java:63)
at org.apache.oltu.oauth2.client.validator.OAuthClientValidator.validate(OAuthClientValidator.java:48)
at org.apache.oltu.oauth2.client.response.OAuthClientResponse.validate(OAuthClientResponse.java:127)
at org.apache.oltu.oauth2.client.response.OAuthClientResponse.init(OAuthClientResponse.java:96)
at org.apache.oltu.oauth2.client.response.OAuthAccessTokenResponse.init(OAuthAccessTokenResponse.java:65)
at org.apache.oltu.oauth2.client.response.OAuthClientResponse.init(OAuthClientResponse.java:101)
at org.apache.oltu.oauth2.client.response.OAuthAccessTokenResponse.init(OAuthAccessTokenResponse.java:60)
at nl.finalist.liferay.oidc.OpenIdConnectResponse.init(OpenIdConnectResponse.java:35)
at org.apache.oltu.oauth2.client.response.OAuthClientResponse.init(OAuthClientResponse.java:120)
at org.apache.oltu.oauth2.client.response.OAuthClientResponseFactory.createCustomResponse(OAuthClientResponseFactory.java:82)
at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:111)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:168)
... 87 more

Do I miss something? Or why are all necessary fields null?

Greetings Julian

Hello!

This maybe a duplicate for #44 but I'd like to know if this plugin is available for 7.2 dpx?

Do you have ETA of release for open idConnectPlugin and does it support gradle workspace or is it still maven project?

Thanks alot!

-Jani

It is possibile to use this plugin on Liferay 7.2 CE Version?

Hi,

I'm trying to compile the plugin oidc plugin source code, but an error occurs when retrieving the parent POM of the OIDC-parent project :
<parent> <groupId>nl.iprofs.pom</groupId> <artifactId>parent</artifactId> <version>2.0.25</version> </parent>
It seems the repository https://nexus.iprofs.nl/content/repositories/releases-public is not available. Is it temporary or permanent ? Is there another repository that could be used ?

Thank you very much,

Nicolas

I experienced problems with travis while attempting to push some changes in my own fork of this plugin. It seems the original oraclejdk8 entry is no longer supported by travis.
After a long series of annoying attempts I solved the problem placing:

jdk:
  - openjdk9

in .travis file.
In order to succeed I needed also to comment-out the following:

<!--
    <distributionManagement>
        <repository>
            <id>releases-public</id>
            <name>Finalist public releases</name>
            <url>https://nexus.iprofs.nl/content/repositories/releases-public</url>
        </repository>
    </distributionManagement>
    <repositories>
        <repository>
            <id>releases-public</id>
            <name>Finalist public releases</name>
            <url>https://nexus.iprofs.nl/content/repositories/releases-public</url>
        </repository>
    </repositories>
-->

in pom.xml file

I would invite you to check travis CI in your original source repository.

Hi

I am trying to configure oauth 2 on liferay version 7.0.6 GA7. Oauth 2 provider I have spring.

I was able to configure provider itself and 2 clients to it to check that I configured provider correctly. Everything worked, clients also on spring boot.

But when I tried to integrate my provider into liferay using your plugin, I encountered the following problem that I can't solve

Hi,

I use actually this plugin (version 0.2.2) on my liferay 7.0GA3+.
I want to use the SSO Logout functionnality which is implemented in latest version 0.4.0.
Please, can you commit this latest version for liferay 7.0.GA3+ on the marketplace ?

Thanks in advance.

In cases where multiple virtual instances are configured, along with corresponding instance-specific properties files, the plugin only recognises configurations in the main portal-ext.properties.

For example, if in my Liferay 7.0/DXP I have -

• portal-ext.properties
• portal-abc.properties (for virtual instance ABC)
• portal-pqr.properties (for virtual instance PQR)
• portal-xyz.properties (for virtual instance XYZ)

Now, suppose we want to have OpenID Connect authentication for instance PQR only, logically one would expect to put the oidc properties in the portal-pqr.properties file. But if one were to do so, the configurations would be ignored. Only when the configurations are placed in the portal-ext.properties do they take effect. But this of course makes ALL the instances set up with OIDC authentication.

How can I get access to the returned user profile & token from my portlet?
You are setting these data as attributes for the HttpServletRequest, trying to get them from my RenderRequest object but no result.

Hello,
I have a issue with private site.
Without the I login from a private site and I lading to it after, if I turned on the plugin and I login froma a the same private, I landing to /guet/home.

Seems the plugin doesn't work with private site.

I tried to get the plugin working within Liferay 7 with my own Openid Connect Provider (first try: Gluu server, second try: Keycloak server). Both times I ended up with the same problem. After a click on "Sign in" I got redirected to the openid connect provider page (worked with Gluu and Keycloak), where I authenticated myself. Afterwards I get redirected to a blank page. The liferay log files shows the following error message:
[OpenIDConnectFilter:61] java.lang.IllegalArgumentException: Impossible to obtain a Token from a null or empty string
Is this a bug or do I have a misconfiguration on the OP side?

This is not an issue but more information request on which class the plugin provides to be able to achieve what we are trying to do.
We are using this very usefull plugin to register and login user coming from an OpenID authentication provider.
When requesting the user profile with the OpenID token, some claims are also provided. We would like to be able to assign users to preexisting groups in Liferay based on these claims.
So basically wanted to know how you would do that post-login logic and on which class we should hook to be able to retrieve these claims.
Asking this question based on marketplace plugin description when you say:

Can be combined with post login hooks to perform additional custom logic (adding users to groups etc)

Thanks for providing some hints.

For enterprise environments there are systems like SiteMinder which centrally check all and every request of every client if there still is a valid session and a valid auth token. If the session is outdated, it is transparently renewed (which may break POST requests), and if the auth token is outdated, the user is forced to renew her authentication to continue the session.

Liferay together with OIDC plugin does not seem to act like this: If the session is authenticated in Liferay but the SSO session is invalidated by SSO logout triggered from another confederated system, Liferay does not see this (as far as I have seen so far): The Liferay session keeps being authenticated ("locally").

Do you see any way to force Liferay to check the validity of the SSO auth state on every request? Does this require code in the OIDC plugin, or should I simply use another LR hook which will then automatically "use" the OIDC plugin to check with the actual OIDC service?

Thanks for making this plug-in, Finalist team!

We are getting user info back from our AzureAD tenant, but this error is stopping us right now:
"Unexpected: OpenID Connect UserInfo does not contain email field. Cannot correlate to Liferay user."

We have set the portal-ext.properties file as follows:

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=https://login.microsoftonline.com/{{Our tenant ID here}}}/oauth2/token
openidconnect.authorization-location=https://login.microsoftonline.com/{{Our tenant ID here}}}/oauth2/authorize
openidconnect.profile-uri=https://login.microsoftonline.com/{{Our tenant ID here}}}/openid/userinfo
openidconnect.issuer=https://sts.windows.net/{{Our tenant ID here}}}/
openidconnect.client-id={{Our client ID here}}}
openidconnect.secret={{Our secret key here}}}
openidconnect.scope=openid profile email

Is there some setting we're missing that could be causing this error?
We did notice this in ProviderFactory.java:
openidconnect.provider

Will setting the value of the provider as follows "openidconnect.provider=AzureAD" help? Or is there another property we need to set that's not included in your README file? Any guidance you can give would be greatly appreciated. Again, thanks for making this!

Actually every change of the plugin configuration including switching the plugin on/off requires re-reading portal-ext.properties, which in turn requires restart of Liferay.

It would be extremely useful to have this plugin configurable via Liferay Control Panel with immediate result.

This would require a Liferay JSP hook for Control Panel and some further management code.

Hi,
I'm using Liferay Portal 6.2 CE GA1 and already followed all the documentation, but after successfully logging in with openID it's still shown Liferay Login Page and displays error below:

WARN  [http-bio-443-exec-2][Liferay62Adapter:46] The token was not valid: -- JWT --
Raw String: eyJhbGciOiJSUzI1NiIsIng1dCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsImtpZCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsInR5cCI6IkpXVCJ9.eyJpZHAiOiJTZWN1cmVBdXRoOSIsImF1dGhfdGltZSI6MTU1MDIyMjU2MywiZGlzcGxheW5hbWUiOiJhZG1pbmxpZmVyYXkiLCJtYWlsIjoiYWRtaW5saWZlcmF5QGxlbWRpa2xhdC5wb2xyaS5nby5pZCIsImNuIjoiYWRtaW5saWZlcmF5Iiwic24iOiJsaWZlcmF5Iiwic3ViIjoiYWRtaW5saWZlcmF5IiwianRpIjoiY2Y2YTNjYjViMTNlNDMzODk1MzNiMmUyYmUyNTA2ZTgiLCJhdF9oYXNoIjoiZXUzdXJJdjVfN1V6eWRTR2RaeXdRUSIsImlhdCI6MTU1MDQ2MTAxNywiaXNzIjoiaHR0cHM6Ly9zZWN1cmVhdXRoMDEubGVtZGlrbGF0LnBvbHJpLmdvLmlkL1NlY3VyZUF1dGg5LyIsImF1ZCI6IjgxZGE2Y2IxMWM2NTQ1MTA4ZmJmNTFhYjY5MjYzNjkyIiwiZXhwIjoxNTUwNDY0NjE3LCJuYmYiOjE1NTA0NjEwMTd9.0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ
Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "x5t": "RbvVJX0thFzNlnpqx1JYkgExFLA", "kid": "RbvVJX0thFzNlnpqx1JYkgExFLA"}
Claims Set: {"iss": "https://secureauth01.lemdiklat.polri.go.id/SecureAuth9/", "sub": "adminliferay", "aud": ["81da6cb11c6545108fbf51ab69263692"], "exp": 1550464617, "nbf": "1550461017", "iat": 1550461017, "jti": "cf6a3cb5b13e43389533b2e2be2506e8", "typ": "null" }
Signature: 0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ
---------

Any solutions?

Thanks in advance.
PWZ

Hi,

I have a problem when setting the default Landing Page parameter in liferay, using the login mechanism of liferay is correctly redirected to Default Landing Page, however when I incorporate the component oidc-plugin takes me to the default page and not to The page that I configured (I did it with a new site with a private page), being that the expected behavior is to redirect where I have configured.

I expect any support, while I am investigating how the plugin can influence this misconduct.

Best regards,

Hello
I'm using the OpenId connector in Liferay 6.2 CE, to sign in with keycloak.
The question is when I click the SignIn button the behavior is different depending on the location / url of the Liferay and keycloack.
I guve you 2 Scenarios example:

Scenario 1: Different domains
Url Liferay is http://work_domain_and_port/liferay and keycloak url is http://other_domain_and_port/auth.
The result is the expected, opens keycloak login page on the same browser tab.

Scenario 2: Same domain but different access url
Url Liferay is http://work_domain_and_port/liferay and keyclocak url is http://other_domain_and_port/auth.
The result is the expected, opens keycloak login page on the same browser tab.

Scenario 3: Same domain and url’s
Both are in the same domain (say in a cluster environment), for example http/docker.localhost/liferay and http://docker.localhost/auth.
The result is not expected. When you click the SignIn button, the Liferay window is "disabled", but does not open the keycloak login.

Note: In developer tools from browser, when I inspect signIn button we can see
< a class="" data-redirect="false" href="http://docker.localhost/liferay/c/portal/login?p_l_id=20185" id="" role="menuitem" title="Sign In" >

If I replace href with onclick="location.href = the expected result is obtained.

Can you help me with this? Have you ever encountered this problem?

Thank you in advance
Eunice da Silva

This plug-in has been great for us for authenticating through Azure AD, however we have noticed that Liferay is not synching/updating a user's AD groups memberships on login. Has anyone else experienced an issue with this and the plug-in?

https://github.com/finalist/liferay-oidc-plugin/blob/master/doc/sequence-diagram.png

Say the Liferay site with this plugin is configure to authenticate via Google (provider) per README.md. The sequence diagram above shows the browser uses the Liferay login page to collect the user's Google account name and password. The Liferay filter then takes over and completes the entire protocol with Google, which suggests that:

1. The Google account name and password is leaked to the relying party (Liferay), which defeats the purpose of OAuth.
2. The browser receives no OAuth artifacts from Google (provider), which prevents the browser from single sign-on to another site that also use Google as provider.

Are these true?

Dear Team,

we have configured with below values in portal-ext.properties but where I need to update the redirection URL and also I am not understanding the plugin as when we can see the changes and where we can see the plugin changes

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=Custom Value Provided
openidconnect.authorization-location=Custom Value Provided
openidconnect.client-id= Custom Value Provided
openidconnect.secret= Custom Value Provided
openidconnect.scope= Custom Value Provided
openidconnect.profile-uri=Custom Value Provided
openidconnect.issuer=Custom Value Provided

Here we have a value as issuer but as per the plugin do we have any standard value for this. Please help me with the above values and also with google plugin.

Thanks & Regards,
Karthik

I downloaded and installed DXP 7.1, we are running java 8. I tried to install the open id app version 0.5.2. I get this error:

2018-08-30 14:26:41.880 ERROR [fileinstall-/usr/local/liferay-ce-portal-7.1.0-ga1/osgi/marketplace][org_apache_felix_fileinstall:97] Failed to install artifact: /usr/local/liferay-ce-portal-7.1.0-ga1/osgi/marketplace/OpenID-Connect-plugin.lpkg
com.liferay.portal.lpkg.deployer.LPKGVerifyException: com.liferay.portal.lpkg.deployer.LPKGVerifyException: LPKG validation failed with {[missing requirement nl.finalist.liferay.oidc; version=0.5.2; type=osgi.bundle [caused by: Unable to resolve nl.finalist.liferay.oidc version=0.5.2: missing requirement com.liferay.portal.kernel.model; version=[1.0.0,2.0.0)]], [missing requirement nl.finalist.liferay.oidc.portalsettings; version=0.5.2; type=osgi.bundle [caused by: Unable to resolve nl.finalist.liferay.oidc.portalsettings version=0.5.2: missing requirement com.liferay.portal.kernel.model; version=[1.0.0,2.0.0)]]}
at com.liferay.portal.lpkg.deployer.internal.DefaultLPKGVerifier.verify(DefaultLPKGVerifier.java:127)
at com.liferay.portal.lpkg.deployer.internal.DefaultLPKGDeployer.deploy(DefaultLPKGDeployer.java:118)
at com.liferay.portal.lpkg.deployer.internal.LPKGArtifactInstaller.install(LPKGArtifactInstaller.java:125)
at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937)
at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871)
at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485)
at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361)
at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:312)
Caused by: com.liferay.portal.lpkg.deployer.LPKGVerifyException: LPKG validation failed with {[missing requirement nl.finalist.liferay.oidc; version=0.5.2; type=osgi.bundle [caused by: Unable to resolve nl.finalist.liferay.oidc version=0.5.2: missing requirement com.liferay.portal.kernel.model; version=[1.0.0,2.0.0)]], [missing requirement nl.finalist.liferay.oidc.portalsettings; version=0.5.2; type=osgi.bundle [caused by: Unable to resolve nl.finalist.liferay.oidc.portalsettings version=0.5.2: missing requirement com.liferay.portal.kernel.model; version=[1.0.0,2.0.0)]]}
at com.liferay.portal.lpkg.deployer.internal.LPKGIndexValidator.validate(LPKGIndexValidator.java:265)
at com.liferay.portal.lpkg.deployer.internal.DefaultLPKGVerifier.verify(DefaultLPKGVerifier.java:93)
... 7 more

Hello.

I am having a problem with the Liferay OpenID Connect plugin (for Liferay DXP 7.0). I am trying to integrate my portal with login.gov as identity provider. The configurations I am using for the plugin and login.gov are included below. When I click on a Sign In link (https://localhost:8443/c/portal/login?p_l_id=111111) in my local environment, I encounter the following behaviors...

In Google Chrome:
This page isn’t working
idp.int.identitysandbox.gov redirected you too many times.

In Firefox:
The page isn’t redirecting properly
https://localhost:8443/c/portal/login?error=invalid_request&error_description=Acr+values+Please+fill+in+this+field.+Acr+values+No+acceptable+acr_values+found+Scope+Please+fill+in+this+field.+Scope+No+valid+scope+values+found+Nonce+Please+fill+in+this+field.+Nonce+is+too+short+%28minimum+is+32+characters%29&state=8d............................8a

In Internet Explorer:
An infinite loop is apparently created. (The address bar appears to keep redirecting back and forth between two URLs.)

From the Firefox info, it seems as though the plugin is not setting up the acr_values, scope, and nonce parameters. I tried this in one of our shared portal environments using both friendly and machine URLs and observed the same behavior.

Can you please advise about this problem?

Here are my Liferay OpenID Connect plugin parameters:

Enabled: Checked

Location of the authorization service (example: https://accounts.google.com/o/oauth2/v2/auth)
https://idp.int.identitysandbox.gov/openid_connect/authorize

Location of the token service (example: https://www.googleapis.com/oauth2/v4/token)
https://idp.int.identitysandbox.gov/api/openid_connect/token

UserInfo endpoint (example: https://www.googleapis.com/plus/v1/people/me/openIdConnect)
https://idp.int.identitysandbox.gov/api/openid_connect/userinfo

Issuer
urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name

Scope(s) of the access token
Blank (to default to "openid profile email")

OAuth client ID
urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name (same as Issuer above)

OAuth client secret
Blank (login.gov does not use this)

OpenID Provider type
Generic

SSO logout endpoint (optional)
Blank

Parameter name supplied to SSO logout endpoint (optional)
Blank

Parameter value supplied to SSO logout endpoint (optional)
Blank

Here are my login.gov app registration parameters:

Identity protocol
openid_connect

Issuer
urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name

Public key
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Return to App UR
https://localhost:8443/web/local-tmp-site-01

Redirect URIs
https://localhost:8443/c/portal/login
https://localhost:8443/c/portal/login?p_l_id=111111

Attribute bundle
email

Active
Y

(Please see https://developers.login.gov/oidc/ for login.gov OIDC parameter documentation.)

My Liferay installation has a custom JAAS login module and I kept getting login exceptions on portal and jboss classes after a successful Azure login.

On trial and error I found the problem at this line in LibAutoLogin.java:
userResponse = new String[]{userId, UUID.randomUUID().toString(), "false"};

I couldn't find any info about setting the last parameter as true or false, but setting it as false doesn't trigger my custom login module defined on portal.jaas.impl property.

From @sys3175-github on December 13, 2016 14:50

Hello,

I try to use OpenID Connect with KeyCloak. Unfortunately, there is an exception:

--- Stacktrace ---

14:14:42,503 ERROR [default task-26][I18nServlet:121] java.io.IOException: While exchanging code for access token and retrieving user info
java.io.IOException: While exchanging code for access token and retrieving user info
        at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:191)
        at nl.finalist.liferay.oidc.LibFilter.processFilter(LibFilter.java:132)
        at nl.finalist.liferay.oidc.OpenIDConnectFilter.processFilter(OpenIDConnectFilter.java:60)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.uploadservletrequest.UploadServletRequestFilter.processFilter(UploadServletRequestFilter.java:93)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:336)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:125)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:303)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:142)
        at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:268)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:115)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
.... (skipped) ...
Caused by: OAuthProblemException{error='invalid_request', description='Missing form parameter: grant_type', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
        at org.apache.oltu.oauth2.common.exception.OAuthProblemException.error(OAuthProblemException.java:59)
        at org.apache.oltu.oauth2.client.validator.OAuthClientValidator.validateErrorResponse(OAuthClientValidator.java:63)
        at org.apache.oltu.oauth2.client.validator.OAuthClientValidator.validate(OAuthClientValidator.java:48)
        at org.apache.oltu.oauth2.client.response.OAuthClientResponse.validate(OAuthClientResponse.java:64)
        at org.apache.oltu.oauth2.client.response.OAuthClientResponse.init(OAuthClientResponse.java:59)
        at org.apache.oltu.oauth2.client.response.OAuthAccessTokenResponse.init(OAuthAccessTokenResponse.java:52)
        at nl.finalist.liferay.oidc.OpenIdConnectResponse.init(OpenIdConnectResponse.java:35)
        at org.apache.oltu.oauth2.client.response.OAuthClientResponseFactory.createCustomResponse(OAuthClientResponseFactory.java:60)
        at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:111)
        at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
        at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
        at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:168)
        ... 125 more
14:14:42,727 ERROR [default task-26][status_jsp:922] While exchanging code for access token and retrieving user info

--- protal-ext.properties ---

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=http://localhost:8180/auth/realms/LifeRay-OpenID/protocol/openid-connect/token
openidconnect.authorization-location=http://localhost:8180/auth/realms/LifeRay-OpenID/protocol/openid-connect/auth
openidconnect.profile-uri=http://localhost:8180/auth/realms/LifeRay-OpenID/protocol/openid-connect/userinfo
openidconnect.issuer=http://localhost:8180/auth/realms/LifeRay-OpenID
openidconnect.client-id=liferay-openid-connector
openidconnect.secret=xyz
openidconnect.scope=openid

I think KeyCloak expects an additional value (grant_type) in the form data, but I can not see where I could set this in the properties.

I am using liferay-ce-portal-7.0-ga3 (Wildfly-Bundle) and KeyCloak 2.2.1.
The logging for nl.finalist is on DEBUG, but there is no additional information in the log.

With kind regards
Ronald

Copied from original issue: gvanderploeg/liferay-oidc-plugin#2

Heyho,

When i set the Response_Type to id_token token"
Cas redirects to liferay/c/login#access_token=...

So, we can't use this Hash Param at backend because hash params aren't sent to server.

Any Solutions?

Hi,

I am trying to compile the oidc-plugin component and throws me an error regarding the maven repository. When I test the URL, it tells me Access Denied. You can help me with that.
Thank you.

Cannot install from 7.0’s Control Panel -> App Store. The App Store shown Marketplace login, but the “Sign In” button had no respond.

It there a way to install this plug-in directly?

I want to use SSO of third party website. Not a known provider like Google or Facebook etc. But when exchanging code with access token, provider doesn't return an id_token. They only return access_token. Is there any way i can use this plugin without id_token.

Thanks in advance.

Hi
We have a strange behavior regarding the redirect URL. If the user enter in a private page url (https://mydomainname/private-page) the OpenID plugin is activated correctly and the Identity Provider login page is shown . After login the Liferay default login page ( /web/guest/home) is displayed instead of the expected one (/private-page) .
No custom post login hook to redirect to a different page is installed.
The following properties are configured :
auth.forward.by.last.path=true
auth.forward.by.redirect=true

Thanks

Liferay as well as OpenID Connect both provide means of "logout mechanism".

Although inherently unstable and unreliable, it is good practice in enterprise application environments to offer SSO logout mechanisms which will offer log-off from the OP (or from the single application as well). Log-off or logout will then directly redirect to a public landing page or make a stop-over on a page saying things like "You are successfully logged off and will be redirected to XYZ in Ns...".

The OpenID Connect provider Keycloak (as an example) offers such mechanism as described here: http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html

Other Liferay authentication mechanisms offer configuration of a logout URL which in turn will redirect to a configurable public portal landing page. This would be useful to have also here.

By default Liferay installation (Liferay Community Edition Portal 7.0.5 GA6) saves the last visited page once the signIn procedure is successfully accomplished.
Enabling the liferay-oidc-plugin, the automated redirect to the last visited page is lost and the signIn procedure always lands in the Login portlet.

http:///web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin

I think this is the main consequence of Issues 34, 33 and 31.

Jul 06, 2021 10:40:42 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Main Servlet] in context with path [] threw exception
java.io.IOException: While exchanging code for access token and retrieving user info
at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:185)
at nl.finalist.liferay.oidc.LibFilter.processFilter(LibFilter.java:102)
at nl.finalist.liferay.oidc.OpenIDConnectFilter.processFilter(OpenIDConnectFilter.java:56)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

By @zipwiz in #18:

Is it possible to guess the current "content locale" on the Liferay side and forward it to OIDC OP using URL parameter ui_locales (as described in http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest ) ? If the request Locale is not set appropriately it is not that simple to guess it from the available request data like URI, URL, contextPath, servletPath and pathInfo because Liferay always treats the first path element as servletPath, regardless of its semantics...

After successful deployment with "standard" language we have issues with explicitly selected non-standard language:

When working with default language, URLs look like https://my.server.org/myContent . Click on "Login" then calls /c/portal/login and everything is fine.

After switching to EN (it is a German portal), URLs look like https://my.server.org/en/myContent. Click on "Login" then calls /en/c/portal/login -- and this does not trigger OIDC SSO login but Liferay default login.

What are we missing? Is that because of the filter URL path snippet /c/portal/login in liferay-hook.xml? Or is it possible that our proxy is not configured well? Or something else?

Any usefull hint is appreciated.

When users enter a portal URL, they are being passed to authenticate (in our AzureAD tenant) and are then always dropped on /web/guest/home. For example, when the user is not logged in and goes to the URL (https://myexampleliferay.up.edu/registrar/home) they are being redirected to login, and then passed to the Liferay default login page (i.e. /web/guest/home) rather than on /registrar/home.

We are using a Microsoft AzureAD tenant as our Identity Provider. We are also using the OpenID Connect plugin (https://web.liferay.com/marketplace/-/mp/application/78695724).

Somewhere along the authentication path the portal URL information is being dropped. This is a critical issue as we are T-minus 3 days to launch our new Liferay DXP portal to campus.

Once the OIDC plugin is enabled and selecting the SignIn link, OIDC authentication starts immediately. I expected the standard login panel still offering me the option to select OIDC among other types of authentication methods enabled and configured in the portal (I had the standard username / password plus another offered by a third-party module). My test was performed on a newly installed Liferay Community Edition Portal 7.0.5 GA6

Environment
• OpenID Connect Liferay plugin 0.5.2
• Azure AD B2C
• Liferay CE 7.0.6 GA

Login failed and found the following error:

ERROR [http-nio-8080-exec-5][Liferay70Adapter:69] Unexpected: OpenID Connect UserInfo does not contain email field. Cannot correlate to Liferay user. UserInfo: {sub=yyyyyyyy-98e0-45db-bd4f-3d5f0d4d134c, given_name=Tester, family_name=LocalAccount, [email protected]}

Could I fall back to the default login? For example, say I made a mistake on configuration; how could I sign in again (not with OIDC) and make the correction?

For 7.0 DXP, I don’t think it reads the openidconnect.enableOpenIDConnect from portal-ext.properties

Dear All,

I have deployed the lpkg file and configured the below properties

openidconnect.enableOpenIDConnect=true
openidconnect.token-location=https://www.googleapis.com/oauth2/v4/token
openidconnect.authorization-location=https://accounts.google.com/o/oauth2/v2/auth
openidconnect.profile-uri=https://www.googleapis.com/plus/v1/people/me/openIdConnect
openidconnect.issuer=https://accounts.google.com
openidconnect.client-id=ID got from google when I registered
openidconnect.secret=Secret Key updated with new value
openidconnect.scope=openid profile email

Here other than client-id and secret remaining values I updated as it is portal-ext.properties. Once if deploy the plugin I am able to see output as successfully deployed and it is showing under All Apps
But here it is showing as There are no configurable plugins for this app.

I am not getting when I click on sign in or where I can see this plugin.
Below errors I a facing

org.apache.oltu.oauth2.common.exception.OAuthSystemException: java.net.UnknownHostException: www.googleapis.com
at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:108)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65)
at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55)
at nl.finalist.liferay.oidc.OpenIDConnectFilter.exchangeCodeForAccessToken(OpenIDConnectFilter.java:162)
... 27 more
Caused by: java.net.UnknownHostException: www.googleapis.com

So Please provide me the working testing values for portal-ext.properties to verify and please let me know if I need modify any other configuration here.

Thanks & Regards,
Karthik

From @lorenzotlc on February 20, 2017 16:18

Hi
I found this article
https://medium.com/@chintanaw/using-openid-connect-plugin-in-liferay-with-wso2-identity-server-7f3405c4453d#.1n4arfnyv

I'm really interested in reproducing this, but I'm stucked on an error in liferay.

I have a local liferay CE 6.2 GA 2 on https://150.145.133.108:8443/
and a wso2 5.0 on https://wso2.geosdi.org:9443/carbon
(local /etc/hosts resolution)

I followed the mentioned article and I set up the configurations on the wso2 service provider and on liferay portal-ext.properties

when I connect to http://150.145.133.108:8080/c/portal/login I'm redirected to the WSO login page. After the login I'm redirected to something similar to:
https://150.145.133.108:8443/c/portal/login?state=f6e0e0a00175036e25599921542b1540&code=18549269cc6a65b333f924297541a13

with a white html page.

On liferay tomcato log I get this error:

ERROR [http-bio-8443-exec-3][LibFilter:83] java.lang.IllegalArgumentException: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=__.eyJleHAiOjE1NTE5Mzk1MzEsImF6cCI6IkdlN0FsSTVrTWJPOWcyOWdqVnc0cVdieXZWTWEiLCJz__dWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhdWQiOiJHZTdBbEk1a01iTzlnMjlnalZ3NHFXYnl2__Vk1hIiwiaXNzIjoiaHR0cHM6XC9cL3dzbzIuZ2Vvc2RpLm9yZzo5NDQzXC9vYXV0aDJlbmRwb2lu__dHNcL3Rva2VuIiwiaWF0IjoxNTQ4MzM5NTMxfQ==__.is not a valid Token, it does not match with the pattern: ([a-zA-Z0-9/+=]+)\.([a-zA-Z0-9/+=]+)\.(.+) [Sanitized] java.lang.IllegalArgumentException: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=__.eyJleHAiOjE1NTE5Mzk1MzEsImF6cCI6IkdlN0FsSTVrTWJPOWcyOWdqVnc0cVdieXZWTWEiLCJz__dWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhdWQiOiJHZTdBbEk1a01iTzlnMjlnalZ3NHFXYnl2__Vk1hIiwiaXNzIjoiaHR0cHM6XC9cL3dzbzIuZ2Vvc2RpLm9yZzo5NDQzXC9vYXV0aDJlbmRwb2lu__dHNcL3Rva2VuIiwiaWF0IjoxNTQ4MzM5NTMxfQ==__.is not a valid Token, it does not match with the pattern: ([a-zA-Z0-9/+=]+)\.([a-zA-Z0-9/+=]+)\.(.+) [Sanitized] at org.apache.oltu.commons.encodedtoken.TokenReader.read(TokenReader.java:62) at nl.finalist.liferay.oidc.OpenIdConnectResponse.init(OpenIdConnectResponse.java:36) at org.apache.oltu.oauth2.client.response.OAuthClientResponseFactory.createCustomResponse(OAuthClientResponseFactory.java:60) at org.apache.oltu.oauth2.client.URLConnectionClient.execute(URLConnectionClient.java:111) at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:65) at org.apache.oltu.oauth2.client.OAuthClient.accessToken(OAuthClient.java:55) at nl.finalist.liferay.oidc.LibFilter.exchangeCodeForAccessToken(LibFilter.java:168) at nl.finalist.liferay.oidc.LibFilter.processFilter(LibFilter.java:132) at nl.finalist.liferay.oidc.OpenIDConnectFilter.processFilter(OpenIDConnectFilter.java:50) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67) at com.sun.proxy.$Proxy485.doFilter(Unknown Source) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:204) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

I'm consuming a lot of time trying to understand the problem but untill now I was not able to solve it.

I will be really really happy if you can give me some help.

Best
L.

Copied from original issue: gvanderploeg/liferay-oidc-plugin#3

Hello.

I have encountered a problem and I'm not sure why this occures.

I have installed openId connect plugin and configured it for my environment. Now I'm trying to access a private site as a quest(/group/private-site) which should start autologin sequence with openId connect plugin. Now all i get is redirect to /home and Liferay server loops TRACE-message "No current OpenID Connect conversation, no autologin". It seems that this returns null every time.

Map<String, String> userInfo = (Map<String, String>) session.getAttribute( LibFilter.OPENID_CONNECT_SESSION_ATTR);

Where this attribute is set in at firstime and what could be resolve for this problem?

Hi. I am using Liferay 7.0. I installed OpenID Connect plugin and made server configurations as suggested in the tutorial. I am having problem after I enter my credentials at google.com. Google redirects me to this url: http://localhost:8080/c/portal/login?state=662c5b222526addd765996f98be28bde&code=4/nWik7ZbSiVQlqTnOIuBjXlHWfGo0r3Byvf6DhY4-71w&authuser=0&session_state=2558bc254b9a92bc63f1c519851a0a5e6eb82d90..3b22&prompt=none#
But page gives this error: The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

Thank you.

I installed this plugin by liferay marketpalce, but when the installation is completed , I cannot find Instance Settings -> Authentication -> OpenID Connect.
The version of liferay portal is 7.0.4 GA5, and the screenshot is

There is no issue here.