Find the docs of this project at:
gluufederation / gluu-passport Goto Github PK
View Code? Open in Web Editor NEWGluu interface to Passport.js to support social login and inbound identity.
License: Apache License 2.0
Gluu interface to Passport.js to support social login and inbound identity.
License: Apache License 2.0
Find the docs of this project at:
There is one ERROR log showing at the time of passport service start... which doesn't affect overall services. Do you think we should remove this error message? Or should we modify some json config to remove that error totally?
Here is the reference comment: https://support.gluu.org/single-sign-on/5451/passport-service-fails-to-start-after-gluu-startup/#at33776
Currently, to add a new strategy, the passportlogin.xhtml's page has to be edited.
We should provide a more flexible less error prone way. Also not requiring the image to be a PNG with exactly the same name as the provider is useful
Upon start and after UMA authz takes place, the following is obtained as response to URL request https://<host>/identity/restv1/passport/config
(global.config.passportConfigAPI):
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head id="j_idt2">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Gluu</title>
<script type="text/javascript">
if (top != self)
top.location.href = self.document.location;
if (parent != self)
top.location.href = location.href;
if (top.frames.length != 0)
top.location.href = self.document.location;
if (window != window.top)
top.location.href = location.href;
</script>
<link rel="shortcut icon" href="/identity/servlet/favicon?v=" />
<link rel="icon" href="/identity/servlet/favicon?v=" />
<!-- Stylesheets -->
<link href="/identity/stylesheet/../theme/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/dist/css/AdminLTE.min.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/dist/css/skins/_all-skins.min.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/plugins/iCheck/square/blue.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/plugins/morris/morris.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/plugins/datepicker/datepicker3.css" rel="stylesheet" type="text/css" />
<link href="/identity/stylesheet/../theme/dist/css/custom.css" rel="stylesheet" type="text/css" /><link type="text/css" rel="stylesheet" href="/identity/org.richfaces.resources/javax.faces.resource/org.richfaces/skinning.ecss?db=eAG7dPvZfwAIqAOT" /></head><body class="login-page">
<div class="wrapper">
<div class="lockscreen-wrapper" style="text-align: center;">
<div class="lockscreen-logo" style="margin-bottom: 0px !important;margin-top: 60%;">
<b style="font-size: 1.7em !important; color: darkred;">Oops</b>
</div>
<!-- User name -->
<div class="lockscreen-name" style="text-align: center;font-size: 1.2em !important;">Something wrong happened.
<br /><div id="errorMessage"></div>
<br />
<span style="font-size: 14px;">Return to the application using below button.</span>
</div>
<a class="btn btn-block btn-primary btn-lg" href="/identity/home" style="width: 60%;">Return</a>
</div>
</div>
<!-- Scripts -->
<script src="/identity/stylesheet/../theme/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/identity/stylesheet/../theme/dist/js/app.min.js" type="text/javascript"></script>
<script src="/identity/stylesheet/../theme/plugins/iCheck/icheck.min.js" type="text/javascript"></script></body>
</html>
At the same time, oxTrust shows:
2018-05-28 19:00:14,943 ERROR [qtp1744347043-15] [org.gluu.oxtrust.exception.UncaughtException] (UncaughtException.java:45) - Jersey error.
java.lang.NullPointerException: null
at org.gluu.oxtrust.ws.rs.passport.PassportRestWebService.getPassportConfig(PassportRestWebService.java:50) ~[classes/:?]
at org.gluu.oxtrust.ws.rs.passport.PassportRestWebService$Proxy$_$$_WeldClientProxy.getPassportConfig(Unknown Source) ~[classes/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_162]
This NPE happens when there are no strategies defined yet
Installed passport in 3.1.4. By default it's running as I said 'yes' at the time of installation.
I added my external IDP in saml config file and went to stop/start passport; but passport didn't start.
I had to remove passport related logs manually to start passport again.
Whole output from terminal is below:
- Ubuntu 16.04
- Gluu Server version: 3.1.4
root@localhost:/etc/gluu/conf# service passport stop
Stopping passport: OK
root@localhost:/etc/gluu/conf# service passport start
Starting passport:
Checking logs for possible errors:
Some error encountered...
See log below:
2018-10-21T19:11:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:12:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:13:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:14:29+0000 [WARN] Error: Received unexpected HTTP status code of 503
For details please check /opt/gluu/node/passport/server/logs/passport-2018-10-21.log .
Stopping passport: OK
Exiting...
root@localhost:/etc/gluu/conf# rm -f -r /opt/gluu/node/passport/server/logs/
.audit.json passport-2018-10-21.log start.log
root@localhost:/etc/gluu/conf# rm -f -r /opt/gluu/node/passport/server/logs/*
root@localhost:/etc/gluu/conf# ls /opt/gluu/node/passport/server/logs/
root@localhost:/etc/gluu/conf# service passport start
Starting passport:
Checking logs for possible errors:
PID: [18321]
OK Sun Oct 21 19:15:53 UTC 2018
root@localhost:/etc/gluu/conf# service passport status
Node running pid=18321
NODE_HOME = /opt/node
NODE_BASE = /opt/gluu/node/passport/server
NODE_CONF =
NODE_PID_FILE = /var/run/passport.pid
NODE_START = /opt/gluu/node/passport/server/app.js
NODE_LOGS = /opt/gluu/node/passport/server/logs
NODE_STATE = /opt/gluu/node/passport/server/passport.state
CLASSPATH =
NODE = /opt/node/bin/node
NODE_OPTIONS = PORT=8090 NODE_ENV=unknown NODE_CONFIG_DIR=/opt/gluu/node/passport/server HOSTNAME=localhost NODE_LOGGING_DIR=/opt/gluu/node/passport/server/logs
NODE_ARGS = --max-old-space-size=384
RUN_CMD = PORT=8090 NODE_ENV=unknown NODE_CONFIG_DIR=/opt/gluu/node/passport/server HOSTNAME=localhost NODE_LOGGING_DIR=/opt/gluu/node/passport/server/logs /opt/node/bin/node --max-old-space-size=384 /opt/gluu/node/passport/server/app.js
root@localhost:/etc/gluu/conf#
Right now passport knows about only hardcoded list of user attributes: https://support.gluu.org/single-sign-on/5354/accessing-memberof-in-sso-environment/#at32535
It should should use /etc/gluu/conf/passport-saml-config.json
in mapping to allow map any attributes to local user attributes. This mapping should be configurable for each provider. Also we should update mapping to map into Gluu attributes
Also custom script has 2 properties:
generic_remote_attributes_list = username, email, name, name, givenName, familyName, provider, memberOf
generic_local_attributes_list = uid, mail, cn, displayName, givenName, sn, provider, memberOf
I think if passport returns attributes in convenient for Gluu attributes we can make this mapping optional. By default we can use all attributes from request.
It will be great if we can clearly tell user through log if user forget to add remote IDP/OP in passport configuration.
In above scenario, Gluu server is throwing "too many redirects" error which is ambiguous.
Suggestion from customer: https://support.gluu.org/single-sign-on/5453/too-many-redirects-error-if-passport-request-specifies-a-non-existent-idp/#at33402
We already have a working sample
we could make the strategy read parameters like issuer
, tokenendpoint
, userinfoendpoint
from the passport-config (as we already do with clientID, secret)
I'd like to be able to configure inbound OpenId authentication via Google for two separate google domains. I have created applications and obtained clientIds and secrets for both domains. I have passport setup and working. I can add the first google domain under the regular "google" passport strategy, but I can't add a second one with the same strategy name, so I have tried to follow the steps under the "Supporting a new strategy" docs here: https://gluu.org/docs/ce/authn-guide/passport/#supporting-a-new-strategy. But when I add the new strategy in oxTrust, the passport server fails to run and doesn't provide any logging as to why.
I can add a second custom passport strategy for a Google app.
Adding the new strategy causes the passport server to fail to run.
google.js
file under /opt/gluu/node/passport/server/auth
to a new file named groundspeed.js
.groundspeed.js
so that the callbackURL
points to a custom url setup in the Google client app (e.g. /passport/auth/groundspeed/callback
).configureStrategies.js
to import groundspeed.js
and check for data.passportStrategies.groundspeed
(copy the check for Google and update names accordingly)/opt/gluu/node/passport/server/routes/index.js
to import groundspeed.js
and add sections to handle the new app callback://===================== groundspeed =================
router.get('/auth/groundspeed/callback',
passportGroundspeed.authenticate('google', {
failureRedirect: '/passport/login'
}),
callbackResponse);
router.get('/auth/groundspeed/:token',
validateToken,
passportGroundspeed.authenticate('google', {
scope: ['profile', 'email']
}));
Manage Authentication > Passport Authentication Method
. Name the strategy "groundspeed" and enter the client id and secret.passport.log
doesn't show an error.Getting this kind of errors in oxauth_script.log
when using passport social and providing an already existing username (thus, the error is presented when trying to update the attributes values coming)
(PythonService.java:209) - Error in update Attribute 'NoneType' object is unsubscriptable 2018-04-20 16:06:53,423 INFO [qtp2008017533-15]
Also getting some attributes with value undefined
persisted to LDAP
Context of the problem in this ticket.
After login, one can make a different user being authenticated by issuing a request to the postlogin url supplying an email value.
This causes a new user dummy entry (if the email is not associated to an existing user) or an update to existing user data. Also, after this operation the user (whether added or updated) becomes authenticated.
Implement RequestingPartyId -> OpenID client mapping
We need additional config file to store:
relayingPartyId_1: {oxAuth client details needed for AuthZ},
relayingPartyId_2: {oxAuth client details needed for AuthZ},
relayingPartyId_3: {oxAuth client details needed for AuthZ},
Align the naming convention of this repo with our other software projects.
In 3.1.3 it POST data to /oxauth/passport/passportpostlogin
which converts it to form and resubmits to oxAuth. We can get rid of this data trip.
We should the following:
/oxauth/postlogin
In a cluster, we use ActiveMQ for logging to send messages to a central logging server. Passport needs to support this.
After setting up the inbound saml between Gluu and okta. The SP initiated flow works well.
But the IDP is failing.
See logs:
oxauth.log
oxauth_script.log
for more details.
I got this screen after authenticating by github
Redirect URL is:
https://github.com/login/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fc2.gluu.org%2Fpassport%2Fauth%2Fgithub%2Fcallback&scope=user%3Aemail&client_id=clientID
Currently it is /casa/rest/idp-linking
, but it must match that of the REST service for IDP linking used by social plugin in Casa
In last fix of security threat, if email attribute is not present in user profile, authentication fails.
We should introduce step 2 in the cust script flow to gather additional data (similar to how passportpostlogin
page did previously)
We might introduce suggestions of team members on how to handle this, eg. the "emailLinkingSafe" flag
W need to improve logging
Passport-SAML supports a few useful options, for example, forceAuthn
or identifierFormat
. Is there a way to ad hoc configure extra options?
The error on this line https://github.com/GluuFederation/gluu-passport/blob/version_3.1.4/server/routes/index.js#L158 is not explicit enough to even begin to troubleshoot for end-users. We need to find a way to supply more information.
UMA 1.0 is deprecated. We remove it in CE 3.1.0
Currently the dropbox module use in passport is using the old dropbox api that is no more supported by Dropbox.
We should use the passport-dropbox-oauth2 instead.
We have to consider adding support for the need described in this support ticket.
Currently both SP and IDP have to stop and manually reconfigure with the renewed cert.
Some IDP's may want to encrypt the response. If this is the case, Passport will have to generate a private key, and share the corresponding public key with the IDP. It would be ok if passport uses the same private key and public key for all inbound SAML transactions. Perhaps these should be generated automatically when setup.py
is run. Passport should not use a keypair generated for a different service.
Passport-saml already defines decryptionPvk
and decryptionCert
NOTE: We do not want to encrypt the request. There is no point spoofing a request, because the response is always sent to the pre-registered callback URL.
Description of problem in this ticket.
For better user experience passport should re-try initialization on request.
Now it do this at startup. As result service fails and admin should restart it manually after enabling passport in GUI.
This seems to be a required element for Passport, but has no functional use from what I can tell. the /etc/init.d/passport
script inside the Gluu chroot needs to be adjusted to point to passport.log
once this issue is closed #48.
Passport uses winston for logging. The acceptable level is currently hardcoded at utils/logger.js
We should move this to the config file so users don't have to alter the code to tweak such a common behaviour.
In this issue I will list improvements related to logging (applicable for any passport-related repo). There are some logging-issues already opened (eg #32, #25). but I would like to have all new ones here.
You can add your own ideas/needs in this issue
We should:
EntityDescriptor
tag for saml IDPs (saml.js
). At least not in INFO level [DONE]silly
to debug
, debug
to verbose
, etc.. [DONE]Context info:
ticket 5354
ticket 5669
Also need to assess how actual attribute updates takes place (full replacement, incremental... ?)
Prepare AuthZ request and send user profile as signed JWT via custom parameter
Example: https://github.com/GluuFederation/oxTrust/blob/master/saml-openid-auth-client/src/main/java/org/gluu/oxauth/client/authentication/AuthenticationFilter.java#L183
Steps:
Expected: Shouldn't there be an Oops screen?
Actual: The message says login.errorSessionInvalidMessage
We need it to allow do offline installation. Jenkins job should put this file into https://ox.gluu.org/npm/passport/
In docker environment, it's easier to check logs via stdout
. This is an example on how we patch logger.js
to use console
instead of rotated file
: https://github.com/GluuFederation/docker-oxPassport/blob/0129ae05059e71f87063c936418f9aff903a4f35/logger.js#L38.
One of the reasons why we prefer stdout
is because we want to utilize external tools such as fluentd, logstash, filebeat, etc, to retrieve logs and transport them to another backend.
We would like to see built-in support for stdout
transport for our usecase.
Currently Passport will log in this format passport-$DATE.log
, e.g passport-2018-10-06.log
, and there is no central location for current logs, as is standard with oxAuth (oxauth.log), oxTrust (oxtrust.log), etc. Passport should be logged as passport.log
and archived as passport-$DATE.log
for ease of operations going forward.
An inbound IDP that sends an identity assertion may have authenticated a user sometime in the past. This information is normally sent as part of the identity assertion, whether that's a SAML assertion, an id_token, or some other proprietary format.
The length of such a "timeout" should be configurable. The default timeout should be one hour.
This is similar to issue GluuFederation/gluu-Asimba#44
The issue in #13 is still unresolved. You can impersonate every user if the email address, user id and user name is provided in the POST parameters. All three values are public knowledge.
According to internal team discussions, IDP-initiated needs different kind of adjustments. For instance:
Doing QA for 3.1.4 team members have found errors of this nature when starting passport
Error: Cannot find module 'passport-dropbox-oauth2'
Sometimes with other modules like passport-openidconnect
, express
, winston-daily-rotate-file
, dateformat
.
They resorted to using npm install <package-name> –save
Currently passportexternalauthenticator.py
and samlpassportauthenticator.py
are almost identical.
Flows (https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#sequence-diagram and https://github.com/GluuFederation/gluu-passport#sequence-diagram) are similar as well.
The prepareForStep
method needs work and has brought a lot of confusion. See also GluuFederation/oxAuth#816
Current passport authentication script don't validate if it trigger passport authentication or not Before redirecting to passport it should generate token and send it to passport. Passport should send it back with response to allow validate it.
Also passport sends user profile in JSON format. We should use JWT signed token for this.
We also can use nonce
and return back it in JWT to to mitigate replay attacks.
Passport social show empty page when the email is already register
Given you have the same email for linkedIn and Github
Expected: A message/popup will show up saying the account linking is not enable
Actual: An empty page.
When passport start fail due to error like:
2018-04-10T04:30:30+0000 [INFO] UMAConfigurations were received
2018-04-10T04:30:30+0000 [ERROR] Error in starting the server. error:- https://u144.gluu.info/oxauth/restv1/token
It should return no zero exit code to notify startup script
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.