Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
UAA not working with external Oauth2 IDP
See original GitHub issueIssue Description
What version of UAA are you running?
UAA 4.10.0
What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'
{“app”:{“version”:“4.10.0”},“showLoginLinks”:true,“links”:{“uaa”:“http://localhost:8080/uaa",“passwd”:“/forgot_password”,“login”:"http://loc alhost:8080/uaa”,“register”:“/create_account”},“zone_name”:“uaa”,“entityID”:“uaa-8080-saml”,“commit_id”:“a4132cb”,“idpDefinitions”:{},“prompts”:{“username”:[“text”,“Email”],“password”:[“password”,“Password”],“passcode”:[“password”,“One Time Code ( Get one at http://localhost:8080/uaa/passcode )”]},“timestamp”:“2018-02-06T18:24:36+0000”}
How are you deploying the UAA?
I am deploying the UAA
- As a war file downloaded from Maven repository.
What did you do?
I am trying to setup Github as an external Oauth2 identity provider with the UAA. Here is what I did:
- Created a new Oauth app at: https://github.com/settings/applications/new
- Configure UAA to setup github as external Oauth2 IDP with the below configuration in the uaa.yml login: oauth: providers: github: type: oauth2.0 authUrl: https://github.com/login/oauth/authorize tokenUrl: https://github.com/login/oauth/access_token userInfoUrl: https://api.github.com/user scopes: - openid - email linkText: Login with Github showLinkText: true addShadowUserOnLogin: true relyingPartyId: $My-clientId relyingPartySecret: $My-clientSecret skipSslValidation: true clientAuthInBody: true attributeMappings: user_name: email
What did you expect to see? What goal are you trying to achieve with the UAA?
I want to be logged in via an external Oauth2 IDP configured in UAA. When I go to the UAA I see the link ‘Login with Github’. After clicking the link I am redirected to the Github. After successful login in Github I expect to be logged in the UAA.
What did you see instead?
After successfully login in the Guthub I am redirected back to UAA with the below message: “There was an error when authenticating against the external identity provider: NullPointerException”
Please include UAA logs if available. [2018-04-03 10:21:27.186] cloudfoundry-identity-server - ??? [http-apr-8080-exec-6] … ERROR — XOAuthAuthenticationFilter: XOauth Authentication exception java.lang.NullPointerException at org.cloudfoundry.identity.uaa.login.AccountSavingAuthenticationSuccessHandler.setSavedAccountOptio nCookie(AccountSavingAuthenticationSuccessHandler.java:52) at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.lambda$authenticationWasSu ccessful$0(XOAuthAuthenticationFilter.java:94) at java.util.Optional.ifPresent(Optional.java:159) at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.authenticationWasSuccessfu l(XOAuthAuthenticationFilter.java:93) at org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter.doFilter(XOAuthAuthenticat ionFilter.java:59) at
Here is my analysis so far: Below is the request and response from UAA to acquire access token from Github: Request: https://github.com/login/oauth/access_token Parameters: grant_type=authorization_code&response_type=token&code=72a22a2d404f6061aa2f&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fuaa%2Flogin%2Fcallback%2Fgithub&client_id=$My-clientId&client_secret=$My-clientSecret
Response: {access_token=I-get-here-valid-access-token, token_type=bearer, scope=}
At this point UAA tries to fetch ‘access_token’ from the response here: https://github.com/cloudfoundry/uaa/blob/4.10.0/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.java#L569
But it seems the method getResponseType returns as ‘token’ instead of ‘access_token’ and hence it fails. Please see below: https://github.com/cloudfoundry/uaa/blob/4.10.0/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.java#L389
Issue Analytics
- State:
- Created 5 years ago
- Reactions:4
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for the detailed analysis and example of properly set-up IdP configurations.
I think a lot of this is historical inertia for OAuth being a pure authorization protocol, not an authentication protocol. OpenID Connect ID tokens have been the replacement to represent authentication on top of OAuth 2.0.
It does appear that UAA could support OAuth 2.0 if the token was JWT spec. UAA appears to be parsing the token for claims assuming that it’s a JWT ID Token, even when the default
tokenconfig is used.What should be happening is that if the token is not parseable as JWT, UAA should be taking the value, and performing a call out to the User Info endpoint configured, and grabbing the user values from that response instead of from the token claims. That logic would be placed likely around https://github.com/cloudfoundry/uaa/blob/4.10.0/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.java#L448-L456.
Hello all, I have made a patch for this issue with some unit test for basic code coverage. Turns out plain Oauth2 was never really supported for IDP, as the implementation only supported OIDC. All 4600+ tests are passing. The working code in this repo/branch: https://github.com/gstackio/uaa/tree/feature/github-oauth2 and the forked
uaa-releasethat uses it is here: https://github.com/gstackio/gk-uaa-boshrelease/tree/feature/github-oauth2 Finally, I’ve deployed the forked release in my own Gstack’s sandbox Cloud Foundry, and the real-life Github authentication works fine. I’ll push a PR soon. Best, BenjaminEdit: see PR #1463!