Hi, I have a requirement to protect different URI on the same revers

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

The js_var $ruri $uri; can be set anywhere in the <c

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

_codexch uses default Client ID / Secret about nginx-openid-connect HOT 8 OPEN

nginxinc commented on May 28, 2024

_codexch uses default Client ID / Secret

from nginx-openid-connect.

Comments (8)

lcrilly commented on May 28, 2024

Here is the relevant line from the error log

2021/12/08 16:29:25 [error] 21314#21314: *2 js: OIDC error from IdP when sending authorization code: invalid_client, Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.

Check your client authentication settings.

from nginx-openid-connect.

wongkeewee commented on May 28, 2024

Hi @lcrilly,

Thank for the response

Yes, but from the request above, it is sending the wrong Client ID and Secret (the default Client ID and Secret wasn't sanitized in my logs, only the hostnames and actual Client ID/Secret) to my IDP

2021/12/08 16:29:25 [debug] 21314#21314: *2 http proxy header:
"POST /oxauth/restv1/token HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: sso.company.com
Connection: close
Content-Length: 175
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Encoding: gzip, deflate, br
Accept-Language: en-SG,en;q=0.9
Cookie: auth_redir=/htvar/ugly.jsp; auth_nonce=85e6aa6169ae466048c5672482f4d03d

grant_type=authorization_code&client_id=my-client-id&code=b8bbd874-6eab-4282-b755-8501025ba68e&client_secret=my-client-secret&redirect_uri=https://rp.company.com:443/_codexch"

This seems to be from the default mappings

...
map $uri $oidc_client {
    ~^/htvar/(.*)$ client-id-aaa;

    default "my-client-id";
}


...

map $uri $oidc_client_secret {
    ~^/htvar/(.*)$ "client-secret-aaa";

    default "my-client-secret";
}
...

The logs on my IDP side is also showing the invalid client id

2021-12-08 16:29:25,964 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.service.ClientService] (ClientService.java:136) - Found 0 entries for client id = my-client-id
2021-12-08 16:29:25,964 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:109) - Starting token endpoint authentication
2021-12-08 16:29:25,965 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:125) - Starting POST Auth token endpoint authentication
2021-12-08 16:29:25,965 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:331) - requireAuth: 'true'
2021-12-08 16:29:25,967 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.service.ClientService] (ClientService.java:136) - Found 0 entries for client id = my-client-id
2021-12-08 16:29:25,968 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:68) - Looking for the error with id: invalid_client
2021-12-08 16:29:25,968 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:73) - Found error, id: invalid_client

from nginx-openid-connect.

tippexs commented on May 28, 2024

Hi @wongkeewee , thanks for reporting that issue in that detail! That definitely helped us to investigate the issue.

As the variable value assigned by a map will be assigned once the variable is used in the Nginx configuration (different from the set directive ) the oidc_client variable will be set correctly to your desired value client-id-aaa as the uri of your initial request is /htvar/ugly.jsp. BUT as soon as our OIDC implementation hits the _token location, due to an internal subrequest, the uri changes and the value will be reassigned to the default one. This can be tracked down in the logs as well:

Before the subrequest:

2021/12/08 16:29:25 [debug] 21314#21314: *2 http process request line
2021/12/08 16:29:25 [debug] 21314#21314: *2 http request line: "GET /htvar/ugly.jsp HTTP/1.1"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http uri: "/htvar/ugly.jsp"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http args: ""
2021/12/08 16:29:25 [debug] 21314#21314: *2 http exten: "jsp"
....
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http script var: "/htvar/ugly.jsp"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map: "/htvar/ugly.jsp" "client-id-aaa"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started

After the subrequest to _token

2021/12/08 16:29:25 [debug] 21314#21314: *2 test location: "_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 using configuration "=/_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http cl:-1 max:1048576
2021/12/08 16:29:25 [debug] 21314#21314: *2 rewrite phase: 3
2021/12/08 16:29:25 [debug] 21314#21314: *2 post rewrite phase: 4
....
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http script var: "/_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map: "/_token" "my-client-id"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started

As you can see, the value of your client-id had been changed as the value of uri had been changed as well.

I have created a small fix for this problem but need to test it or kindly ask you to give it a try. The solution is, we have to make sure the uri is kind of fixed to the value before the internal subrequest.

#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;

map $ruri $oidc_client {
  /test "oidc-test-realm";
  /aaa "oidc-aaa-realm";
  default "oidc-default";
}

server {
 listen 9001;


 location / {
  js_content oidc.test;
 }

 location /_token {
   internal;
   return 200 $oidc_client;
 }


}

As you can see, I have just introduced another variable ruri set by js_var. Use the newly created variable ruri in the map. My test proved it will then use the original URI to lookup the map.

$ curl 127.1:9001/test

oidc-test-realm

Let me know if this works for you.
Cheers Timo

from nginx-openid-connect.

wongkeewee commented on May 28, 2024

Hi @tippexs,

Thanks for the response!

Finally got a chance to test this out after the meltdown for past couple of days.

I've configured the js_var and $ruri in the openid_connect_configuration.conf file:

#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;  
...
map $ruri $oidc_client {
    ~^/htvar/(.*)$ "client-id-aaa";

    default "my-client-id";
}

map $ruri $oidc_client_secret {
    ~^/htvar/(.*)$ "client-secret-aaa";

    default "my-client-secret";
}


map $ruri $oidc_scopes {
    ~^/htvar/(.*)$ "openid+profile+email+user_name+user_role+user_type";
    default "openid+profile+email+offline_access";
}

However, the _codexch is still throwing the same error and the IDP is still seeing my-client-id

Did I apply the configuration in the correct place, ie openid_connect_configuration.conf
Or is the $ruri variable overwritten everytime there is a new request and I should put the js_var $ruri $uri; line somewhere else?

from nginx-openid-connect.

wongkeewee commented on May 28, 2024

Hi @tippexs,

I have configured the $ruri variable in our conf file, but the $ruri is still picking up the current URI and not mapping to the correct configuration.

Is there a specific location i need to place the js_var $ruri $uri; configuration?

from nginx-openid-connect.

tippexs commented on May 28, 2024

The js_var $ruri $uri; can be set anywhere in the http context of your configuration. Can you please share the debug log one more time. If possible upload it to a GIST and share the link here. As debug logs can become quite large. Thanks

from nginx-openid-connect.

wongkeewee commented on May 28, 2024

Hi @tippexs,

I have configured openid_connect_configuration.conf as follows:

# OpenID Connect configuration
#
# Each map block allows multiple values so that multiple IdPs can be supported,
# the $host variable is used as the default input parameter but can be changed.
#

#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;

map $host $oidc_authz_endpoint {
    rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/authorize;

    default "http://gluu-ppl.azlabs.sg/oxauth/restv1/authorize";
    #www.example.com "https://my-idp/oauth2/v1/authorize";
}

map $host $oidc_token_endpoint {
    rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/token;

    default "https://gluu-ppl.azlabs.sg/oxauth/restv1/token";
}

map $host $oidc_jwt_keyfile {
    rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/jwks;

    default "http://gluu-ppl.azlabs.sg/oxauth/restv1/jwks";
}

#map $host $oidc_client {
map $ruri $oidc_client {
    ~^/htvar/(.*)$ "client-id-aaa";
    #rp.minkhang.com "client-id-aaa";

    default "my-client-id";
}


map $host $oidc_pkce_enable {
    default 0;
}

#map $host $oidc_client_secret {
map $ruri $oidc_client_secret {
    ~^/htvar/(.*)$ "client-secret-aaa";
    #rp.minkhang.com "client-secret-aaa";

    default "my-client-secret";
}


#map $host $oidc_scopes {
map $ruri $oidc_scopes {
    ~^/htvar/(.*)$ "openid+profile+email+user_name+user_role+user_type";
    #rp.minkhang.com "openid+profile+email+user_name+user_role+user_type";
    default "openid+profile+email+offline_access";
}


map $host $oidc_logout_redirect {
    # Where to send browser after requesting /logout location. This can be
    # replaced with a custom logout page, or complete URL.
    rp.minkhang.com "https://gluu-ppl.azlabs.sg/oxauth/restv1/end_session?post_logout_redirect_uri=https%3A%2F%2Frp.minkhang.com%2Fhtvar%2F";
    default "/_logout"; # Built-in, simple logout page
}

map $host $oidc_hmac_key {
    rp.minkhang.com sV5IAum4OrMNpOs2rK4EfMLF;

    # This should be unique for every NGINX instance/cluster
    default "ChangeMe";
}

map $proto $oidc_cookie_flags {
    http  "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
    https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}

map $http_x_forwarded_port $redirect_base {
    ""      $proto://$host:$server_port;
    default $proto://$host:$http_x_forwarded_port;
}

map $http_x_forwarded_proto $proto {
    ""      $scheme;
    default $http_x_forwarded_proto;
}

# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in openid_connect.server_conf

# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;

# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M state=conf.d/oidc_id_tokens.json timeout=1h;
keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h;
keyval_zone zone=oidc_pkce:128K timeout=90s; # Temporary storage for PKCE code verifier.

keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens;   # Exchange cookie for JWT
keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation
keyval $request_id $new_refresh zone=refresh_tokens; # ''
keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;

auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
js_import oidc from conf.d/openid_connect.js;

# vim: syntax=nginx

The debug logs are shared here https://drive.google.com/file/d/18g1K44cQeiAO50E4pOFsxBNl5v4rts7T/view?usp=sharing

It looks like the URI are not persisted across the OIDC call

2022/02/03 14:55:59 [debug] 19699#19699: *12 http map started
2022/02/03 14:55:59 [debug] 19699#19699: *12 http script var: "/_codexch"
2022/02/03 14:55:59 [debug] 19699#19699: *12 http script var: "/_codexch"
2022/02/03 14:55:59 [debug] 19699#19699: *12 http map: "/_codexch" "my-client-secret"

from nginx-openid-connect.

wongkeewee commented on May 28, 2024

Hi @tippexs,

Are you able to advise based on the logs provided?

from nginx-openid-connect.

_codexch uses default Client ID / Secret about nginx-openid-connect HOT 8 OPEN

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent