There is one ERROR log showing at the time of passport service start... which doesn't affect overall services. Do you think we should remove this error message? Or should we modify some json config to remove that error totally?

Here is the reference comment: https://support.gluu.org/single-sign-on/5451/passport-service-fails-to-start-after-gluu-startup/#at33776

Currently, to add a new strategy, the passportlogin.xhtml's page has to be edited.

We should provide a more flexible less error prone way. Also not requiring the image to be a PNG with exactly the same name as the provider is useful

Implement new enpoint to trigger Inbound SAML flow

Related #24
See flow diagram here

Upon start and after UMA authz takes place, the following is obtained as response to URL request https://<host>/identity/restv1/passport/config (global.config.passportConfigAPI):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head id="j_idt2">
            <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
            <title>Gluu</title>
            <script type="text/javascript">
                if (top != self)
                    top.location.href = self.document.location;
                if (parent != self)
                    top.location.href = location.href;
                if (top.frames.length != 0)
                    top.location.href = self.document.location;
                if (window != window.top)
                    top.location.href = location.href;
            </script>

            <link rel="shortcut icon" href="/identity/servlet/favicon?v=" />
            <link rel="icon" href="/identity/servlet/favicon?v=" />

            <!-- Stylesheets -->
            <link href="/identity/stylesheet/../theme/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/dist/css/AdminLTE.min.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/dist/css/skins/_all-skins.min.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/plugins/iCheck/square/blue.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/plugins/morris/morris.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/plugins/datepicker/datepicker3.css" rel="stylesheet" type="text/css" />
            <link href="/identity/stylesheet/../theme/dist/css/custom.css" rel="stylesheet" type="text/css" /><link type="text/css" rel="stylesheet" href="/identity/org.richfaces.resources/javax.faces.resource/org.richfaces/skinning.ecss?db=eAG7dPvZfwAIqAOT" /></head><body class="login-page">
            <div class="wrapper">
        <div class="lockscreen-wrapper" style="text-align: center;">
            <div class="lockscreen-logo" style="margin-bottom: 0px !important;margin-top: 60%;">
                <b style="font-size: 1.7em !important;  color: darkred;">Oops</b>
            </div>
            <!-- User name -->
            <div class="lockscreen-name" style="text-align: center;font-size: 1.2em !important;">Something wrong happened.
                <br /><div id="errorMessage"></div>
                <br />
                <span style="font-size: 14px;">Return to the application using below button.</span>
            </div>


            <a class="btn btn-block btn-primary btn-lg" href="/identity/home" style="width: 60%;">Return</a>

        </div>
            </div>

            <!-- Scripts -->
            <script src="/identity/stylesheet/../theme/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
            <script src="/identity/stylesheet/../theme/dist/js/app.min.js" type="text/javascript"></script>
            <script src="/identity/stylesheet/../theme/plugins/iCheck/icheck.min.js" type="text/javascript"></script></body>
</html>

At the same time, oxTrust shows:

2018-05-28 19:00:14,943 ERROR [qtp1744347043-15] [org.gluu.oxtrust.exception.UncaughtException] (UncaughtException.java:45) - Jersey error.
java.lang.NullPointerException: null
	at org.gluu.oxtrust.ws.rs.passport.PassportRestWebService.getPassportConfig(PassportRestWebService.java:50) ~[classes/:?]
	at org.gluu.oxtrust.ws.rs.passport.PassportRestWebService$Proxy$_$$_WeldClientProxy.getPassportConfig(Unknown Source) ~[classes/:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_162]

This NPE happens when there are no strategies defined yet

Installed passport in 3.1.4. By default it's running as I said 'yes' at the time of installation.
I added my external IDP in saml config file and went to stop/start passport; but passport didn't start.
I had to remove passport related logs manually to start passport again.
Whole output from terminal is below:

- Ubuntu 16.04
- Gluu Server version: 3.1.4

root@localhost:/etc/gluu/conf# service passport stop
Stopping passport: OK
root@localhost:/etc/gluu/conf# service passport start
Starting passport:
Checking logs for possible errors:
Some error encountered...
See log below: 

2018-10-21T19:11:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:12:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:13:46+0000 [WARN] Error: Received unexpected HTTP status code of 503
2018-10-21T19:14:29+0000 [WARN] Error: Received unexpected HTTP status code of 503

For details please check /opt/gluu/node/passport/server/logs/passport-2018-10-21.log .

Stopping passport: OK

Exiting...
root@localhost:/etc/gluu/conf# rm -f -r /opt/gluu/node/passport/server/logs/
.audit.json              passport-2018-10-21.log  start.log                
root@localhost:/etc/gluu/conf# rm -f -r /opt/gluu/node/passport/server/logs/*
root@localhost:/etc/gluu/conf# ls /opt/gluu/node/passport/server/logs/
root@localhost:/etc/gluu/conf# service passport start
Starting passport:
Checking logs for possible errors:
PID: [18321]
OK Sun Oct 21 19:15:53 UTC 2018
root@localhost:/etc/gluu/conf# service passport status
Node running pid=18321

NODE_HOME     =  /opt/node
NODE_BASE     =  /opt/gluu/node/passport/server
NODE_CONF     =  
NODE_PID_FILE      =  /var/run/passport.pid
NODE_START    =  /opt/gluu/node/passport/server/app.js
NODE_LOGS     =  /opt/gluu/node/passport/server/logs
NODE_STATE    =  /opt/gluu/node/passport/server/passport.state
CLASSPATH      =  
NODE           =  /opt/node/bin/node
NODE_OPTIONS   =  PORT=8090 NODE_ENV=unknown NODE_CONFIG_DIR=/opt/gluu/node/passport/server HOSTNAME=localhost NODE_LOGGING_DIR=/opt/gluu/node/passport/server/logs
NODE_ARGS     =  --max-old-space-size=384
RUN_CMD        =  PORT=8090 NODE_ENV=unknown NODE_CONFIG_DIR=/opt/gluu/node/passport/server HOSTNAME=localhost NODE_LOGGING_DIR=/opt/gluu/node/passport/server/logs /opt/node/bin/node --max-old-space-size=384 /opt/gluu/node/passport/server/app.js

root@localhost:/etc/gluu/conf# 

Right now passport knows about only hardcoded list of user attributes: https://support.gluu.org/single-sign-on/5354/accessing-memberof-in-sso-environment/#at32535

It should should use /etc/gluu/conf/passport-saml-config.json in mapping to allow map any attributes to local user attributes. This mapping should be configurable for each provider. Also we should update mapping to map into Gluu attributes

Also custom script has 2 properties:

generic_remote_attributes_list = username, email, name, name, givenName, familyName, provider, memberOf
generic_local_attributes_list = uid, mail, cn, displayName, givenName, sn, provider, memberOf

I think if passport returns attributes in convenient for Gluu attributes we can make this mapping optional. By default we can use all attributes from request.

It will be great if we can clearly tell user through log if user forget to add remote IDP/OP in passport configuration.

In above scenario, Gluu server is throwing "too many redirects" error which is ambiguous.

Suggestion from customer: https://support.gluu.org/single-sign-on/5453/too-many-redirects-error-if-passport-request-specifies-a-non-existent-idp/#at33402

We already have a working sample

we could make the strategy read parameters like issuer, tokenendpoint, userinfoendpoint from the passport-config (as we already do with clientID, secret)

General description

I'd like to be able to configure inbound OpenId authentication via Google for two separate google domains. I have created applications and obtained clientIds and secrets for both domains. I have passport setup and working. I can add the first google domain under the regular "google" passport strategy, but I can't add a second one with the same strategy name, so I have tried to follow the steps under the "Supporting a new strategy" docs here: https://gluu.org/docs/ce/authn-guide/passport/#supporting-a-new-strategy. But when I add the new strategy in oxTrust, the passport server fails to run and doesn't provide any logging as to why.

Expected Behavior

I can add a second custom passport strategy for a Google app.

Actual Behavior

Adding the new strategy causes the passport server to fail to run.

Steps to reproduce

1. Copy the google.js file under /opt/gluu/node/passport/server/auth to a new file named groundspeed.js.
2. Edit groundspeed.js so that the callbackURL points to a custom url setup in the Google client app (e.g. /passport/auth/groundspeed/callback).
3. Edit configureStrategies.js to import groundspeed.js and check for data.passportStrategies.groundspeed (copy the check for Google and update names accordingly)
4. Edit /opt/gluu/node/passport/server/routes/index.js to import groundspeed.js and add sections to handle the new app callback:

//===================== groundspeed =================
router.get('/auth/groundspeed/callback',
    passportGroundspeed.authenticate('google', {
        failureRedirect: '/passport/login'
    }),
    callbackResponse);

router.get('/auth/groundspeed/:token',
    validateToken,
    passportGroundspeed.authenticate('google', {
        scope: ['profile', 'email']
    }));

6. At this point, everything should still be working. Now add the new strategy to oxTrust under Manage Authentication > Passport Authentication Method. Name the strategy "groundspeed" and enter the client id and secret.
7. At this point, passport should automatically pick up the changes, but it doesn't. If you stop the passport server and try to start it again, it exits but without giving any errors, and passport.log doesn't show an error.

Getting this kind of errors in oxauth_script.log when using passport social and providing an already existing username (thus, the error is presented when trying to update the attributes values coming)

(PythonService.java:209) - Error in update Attribute 'NoneType' object is unsubscriptable 2018-04-20 16:06:53,423 INFO [qtp2008017533-15]

Also getting some attributes with value undefined persisted to LDAP

Context of the problem in this ticket.

After login, one can make a different user being authenticated by issuing a request to the postlogin url supplying an email value.

This causes a new user dummy entry (if the email is not associated to an existing user) or an update to existing user data. Also, after this operation the user (whether added or updated) becomes authenticated.

Implement RequestingPartyId -> OpenID client mapping

We need additional config file to store:
relayingPartyId_1: {oxAuth client details needed for AuthZ},
relayingPartyId_2: {oxAuth client details needed for AuthZ},
relayingPartyId_3: {oxAuth client details needed for AuthZ},

Related #24
See flow diagram here

Align the naming convention of this repo with our other software projects.

In 3.1.3 it POST data to /oxauth/passport/passportpostlogin which converts it to form and resubmits to oxAuth. We can get rid of this data trip.

We should the following:

1. Passport -> /oxauth/postlogin
2. Script parses data and stores in auth session
3. Display user form to enter missing attributes
4. Do Post actions (current code but it should get data from auth session) in script and login.

Passport log is really hard to read.. we should implement some newline, indentation or w/e is required to make it easier.

Here is how it looks like now:

In a cluster, we use ActiveMQ for logging to send messages to a central logging server. Passport needs to support this.

Write new custom script which trust user Profile which Passport send in AuthZ request

Related #24
See flow diagram here

Description

After setting up the inbound saml between Gluu and okta. The SP initiated flow works well.
But the IDP is failing.

See logs:
oxauth.log
oxauth_script.log

for more details.

I got this screen after authenticating by github

Redirect URL is:
https://github.com/login/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fc2.gluu.org%2Fpassport%2Fauth%2Fgithub%2Fcallback&scope=user%3Aemail&client_id=clientID

Currently it is /casa/rest/idp-linking, but it must match that of the REST service for IDP linking used by social plugin in Casa

In last fix of security threat, if email attribute is not present in user profile, authentication fails.

We should introduce step 2 in the cust script flow to gather additional data (similar to how passportpostlogin page did previously)

We might introduce suggestions of team members on how to handle this, eg. the "emailLinkingSafe" flag

W need to improve logging

1. App should use "node.logging.dir" param if it exists to specify right place of logs
2. We need to rename logs.log to passport.log
3. We need to add new log "stderrout.log" to log into it standart console messages
4. Can we do logrotate on daily basis from node?
   We need to do lograte:

• passport.log
• stderrout.log

Passport-SAML supports a few useful options, for example, forceAuthn or identifierFormat. Is there a way to ad hoc configure extra options?

The error on this line https://github.com/GluuFederation/gluu-passport/blob/version_3.1.4/server/routes/index.js#L158 is not explicit enough to even begin to troubleshoot for end-users. We need to find a way to supply more information.

UMA 1.0 is deprecated. We remove it in CE 3.1.0

Description

Currently the dropbox module use in passport is using the old dropbox api that is no more supported by Dropbox.

We should use the passport-dropbox-oauth2 instead.

We have to consider adding support for the need described in this support ticket.

Currently both SP and IDP have to stop and manually reconfigure with the renewed cert.

Some IDP's may want to encrypt the response. If this is the case, Passport will have to generate a private key, and share the corresponding public key with the IDP. It would be ok if passport uses the same private key and public key for all inbound SAML transactions. Perhaps these should be generated automatically when setup.py is run. Passport should not use a keypair generated for a different service.

Passport-saml already defines decryptionPvk and decryptionCert

NOTE: We do not want to encrypt the request. There is no point spoofing a request, because the response is always sent to the pre-registered callback URL.

Description of problem in this ticket.

For better user experience passport should re-try initialization on request.

Now it do this at startup. As result service fails and admin should restart it manually after enabling passport in GUI.

This seems to be a required element for Passport, but has no functional use from what I can tell. the /etc/init.d/passport script inside the Gluu chroot needs to be adjusted to point to passport.log once this issue is closed #48.

Passport uses winston for logging. The acceptable level is currently hardcoded at utils/logger.js

We should move this to the config file so users don't have to alter the code to tweak such a common behaviour.

In this issue I will list improvements related to logging (applicable for any passport-related repo). There are some logging-issues already opened (eg #32, #25). but I would like to have all new ones here.

You can add your own ideas/needs in this issue

We should:

• use a daily log (currenlty a new one created every hour) [DONE]
• Not printing the whole EntityDescriptor tag for saml IDPs (saml.js). At least not in INFO level [DONE]
• Promote silly to debug, debug to verbose, etc.. [DONE]
• Wrap in a single function the call to winston and MQ logger [DONE]

Context info:
ticket 5354
ticket 5669

Also need to assess how actual attribute updates takes place (full replacement, incremental... ?)

Prepare AuthZ request and send user profile as signed JWT via custom parameter
Example: https://github.com/GluuFederation/oxTrust/blob/master/saml-openid-auth-client/src/main/java/org/gluu/oxauth/client/authentication/AuthenticationFilter.java#L183

Related #24
See flow diagram here

Steps:

1. Follow https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#enable-passport steps up to Register external IDPs with home IDP
2. In passport-saml-config.json paste the example JSON given for 2 external IDPs and save the file
3. Restart passport
4. Try to log in to oxTrust

Expected: Shouldn't there be an Oops screen?
Actual: The message says login.errorSessionInvalidMessage

passport-2018-09-10.log.tar.gz
oxauth.log.tar.gz

We need it to allow do offline installation. Jenkins job should put this file into https://ox.gluu.org/npm/passport/

In docker environment, it's easier to check logs via stdout. This is an example on how we patch logger.js to use console instead of rotated file: https://github.com/GluuFederation/docker-oxPassport/blob/0129ae05059e71f87063c936418f9aff903a4f35/logger.js#L38.

One of the reasons why we prefer stdout is because we want to utilize external tools such as fluentd, logstash, filebeat, etc, to retrieve logs and transport them to another backend.

We would like to see built-in support for stdout transport for our usecase.

This is how it looks like now,

We need to prepare a doc how we can replace / update those logo of External Providers

Currently Passport will log in this format passport-$DATE.log, e.g passport-2018-10-06.log, and there is no central location for current logs, as is standard with oxAuth (oxauth.log), oxTrust (oxtrust.log), etc. Passport should be logged as passport.log and archived as passport-$DATE.log for ease of operations going forward.

An inbound IDP that sends an identity assertion may have authenticated a user sometime in the past. This information is normally sent as part of the identity assertion, whether that's a SAML assertion, an id_token, or some other proprietary format.

The length of such a "timeout" should be configurable. The default timeout should be one hour.

This is similar to issue GluuFederation/gluu-Asimba#44

The issue in #13 is still unresolved. You can impersonate every user if the email address, user id and user name is provided in the POST parameters. All three values are public knowledge.

1. Enable passport social following this documentation
2. Login with external provider (I verified with google and github)
   After providing valid credential, User is getting redirected to {Gluu}/oxauth/postlogin and giving 404

According to internal team discussions, IDP-initiated needs different kind of adjustments. For instance:

1. Honor relaystate param
2. Use an oxauth's custom authz req param instead of state to pass profile
3. Allow different final redirect URLs

Doing QA for 3.1.4 team members have found errors of this nature when starting passport

Error: Cannot find module 'passport-dropbox-oauth2'

Sometimes with other modules like passport-openidconnect, express, winston-daily-rotate-file, dateformat.

They resorted to using npm install <package-name> –save

Currently passportexternalauthenticator.py and samlpassportauthenticator.py are almost identical.
Flows (https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#sequence-diagram and https://github.com/GluuFederation/gluu-passport#sequence-diagram) are similar as well.

The prepareForStep method needs work and has brought a lot of confusion. See also GluuFederation/oxAuth#816

Current passport authentication script don't validate if it trigger passport authentication or not Before redirecting to passport it should generate token and send it to passport. Passport should send it back with response to allow validate it.

Also passport sends user profile in JSON format. We should use JWT signed token for this.

We also can use nonce and return back it in JWT to to mitigate replay attacks.

Description

Passport social show empty page when the email is already register

Step to reproduce

Given you have the same email for linkedIn and Github

1. Configure Linkedin strategy
2. Configure Github strategy
3. Use LinkedIn to login
4. Try use Gitbub to login

Expected: A message/popup will show up saying the account linking is not enable
Actual: An empty page.

When passport start fail due to error like:

2018-04-10T04:30:30+0000 [INFO] UMAConfigurations were received
2018-04-10T04:30:30+0000 [ERROR] Error in starting the server. error:-  https://u144.gluu.info/oxauth/restv1/token

It should return no zero exit code to notify startup script

A couple of tickets makes me thing there are a couple of flaws in passport config file regarding to how certain values are structured, for instance:

• additionalAuthorizeParams (6046)

• skipRequestCompression (6374)