Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oauth2 issue with ADFS 4.0 #693

Open
sn00wden opened this issue Aug 16, 2023 · 5 comments
Open

Oauth2 issue with ADFS 4.0 #693

sn00wden opened this issue Aug 16, 2023 · 5 comments

Comments

@sn00wden
Copy link

I'm using latest STF version.
LDAP works fine, but we need oauth2.
STF starts by system-d units.

Body of stf-auth@.service :

[Unit]
Description=STF OAuth2
PartOf=stf.target
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/etc/environment
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker kill %p-%i
ExecStartPre=-/usr/bin/docker rm %p-%i
ExecStart=/usr/bin/docker run --rm
--name %p-%i
-v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro
--link rethinkdb-proxy-28015:rethinkdb
-e "SECRET=YOUR_SESSION_SECRET_HERE"
-e NODE_TLS_REJECT_UNAUTHORIZED=1
-e "OAUTH_AUTHORIZATION_URL=https://adfs.domain.com/adfs/oauth2/authorize"
-e "OAUTH_TOKEN_URL=https://adfs.domain.com/adfs/oauth2/token"
-e "OAUTH_USERINFO_URL=https://adfs.domain.com/adfs/userinfo"
-e "OAUTH_CLIENT_ID=client_adfs"
-e "OAUTH_CLIENT_SECRET=secret_adfs"
-e "OAUTH_CALLBACK_URL=https://stf.domain.com/auth/oauth/callback"
-e "OAUTH_SCOPE=openid email"
-p %i:3000
devicefarmer/stf:latest
stf auth-oauth2 --port 3000
--app-url https://stf.domain.com/
ExecStop=-/usr/bin/docker stop -t 10 %p-%i

In new incognito windows, I try https://stf.domain.com , then get authorize notification, select certificate, write pass, then I'm redirected to https://stf.domain.com/auth/oauth/callback?code=AAAAAAAAAAAAAAAAAAAAAA.***
with error:

InternalOAuthError: Failed to obtain access token
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:423:17)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)
    at ClientRequest.emit (node:events:527:28)
    at TLSSocket.socketErrorListener (node:_http_client:454:9)
    at TLSSocket.emit (node:events:527:28)
    at emitErrorNT (node:internal/streams/destroy:164:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

How can I solve this?

@denis99999
Copy link

@cert-x your configuration seems correct althrough I am not sure your ca-certificates is required (i.e. try to drop it), perhaps your STF server (resource server) is not able to reach the ADFS server (OAuth server) during the token validation step due to a missing firewall rule, you should take a network trace to see exactly what is happened.

@sn00wden
Copy link
Author

@denis99999 thank you.
I'm able to reach adfs, then get authorize page, then receive token and get to the callback url page...with this error.
If I do not use ca-sertificates, I get next err:

TokenError: MSIS9612: The authorization code received in 'code' parameter is invalid. 
    at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:373:12)
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:420:16)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:539:35)
    at endReadableNT (node:internal/streams/readable:1345:12)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

But googling gives nothing, causer we have 1 node ADFS and SQL Server

@denis99999
Copy link

@cert-x it seems the code returned is invalid, you should request to ADFS support because it does not seem an issue from STF but between your resource server and the oAuth server (i.e. you should take a full network trace to identify that), sorry I am not able to help you anymore on that issue, what I can say is that it works well in my side using either oAuth 2.0 or SAML 2.0 protocols in front of my company Authentication servers.

@sn00wden
Copy link
Author

sn00wden commented Sep 8, 2023

@denis99999, hello!
What names of claims should we get from ADFS?

@denis99999
Copy link

@cert-x, I don't really understand your question, I don't know ADFS but what I understand is that ADFS is the authentication server that issued you an Oauth 2.0 partnership for ADFS, so if it does not work with STF, I suggest you contact the ADFS support team to verify your Oauth 2.0 partnership for ADFS and test it using a 3rd party baseline tool, I know some people use Postman for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants