Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDCS Role Mapper is using wrong access token on IDCS Asserter endpoint #8282

Closed
jwveldhuis opened this issue Jan 23, 2024 · 1 comment · Fixed by #8284
Closed

IDCS Role Mapper is using wrong access token on IDCS Asserter endpoint #8282

jwveldhuis opened this issue Jan 23, 2024 · 1 comment · Fixed by #8284
Assignees
@Verdent
Milestone
4.0.4

Comments

@jwveldhuis
Copy link

Environment Details

  • Helidon Version: 4.0.3
  • Helidon MP
  • JDK version: 21
  • OS: Linux

Problem Description

It seems #8207 did not fix the issue.
The /admin/v1/Asserter endpoint is accessed with the access token of the authenticated user rather than the one configured in the idcs-role-mapper config. This leads to a 401 error:

19:29:46.571 [[0x006cd775 0x2eef9a36] WebServer socket] WARN i.h.s.p.i.m.IdcsRoleMapperProviderBase.performLog(152) - Cannot read groups for user "xxx". Response code: 401 Unauthorized, make sure your IDCS client has role "Authenticator Client" added on the client configuration page, error entity: <TITLE>Unauthorized</TITLE>

The access token reported in the TRACE log is the correct one.

19:29:46.453 [[0x006cd775 0x2eef9a36] WebServer socket] TRACE i.h.s.p.i.m.IdcsRoleMapperProviderBase.performLog(152) - Access token: eyJ4NXQj...

TRACE log on io.helidon.webclient revealed that despite the correct access token is retrieved for the Authenticator Client IDCS app (per oidc-config configuration), the wrong access token is used in the obtainGrantsFromServer method in IdcsRoleMapperProvider. This wrong token is the access token of the user used in the HTTP request making the API call for which the roles need to be obtained.

The IDCS Asserter endpoint then responds with a

WWW-Authenticate: Bearer error="invalid_token", error_description="Token Audience"

Could this be related to the outbound config? That the user's token is propagated to IDCS instead of the configured access token?

In the oidc: provider config I have this:

  providers:
    - oidc:
        ...
        outbound:
          outbound:
            - name: "idcs"
              hosts: ["<idcs-hostname>"]

I had to add this outbound config (this is not well documented by the way), as else was running into this:

SEVERE: ERROR outbound.outbound 416180f2-fcbe-4e99-8d4a-6737c84be379:13  io.helidon.webclient.security.WebClientSecurity handle WebClientSecurity.java 157 :: "Provider io.helidon.microprofile.jwt.auth.JwtAuthProvider, Description io.helidon.security.OutboundSecurityClientImpl@4b11351c, Request Cannot invoke "io.helidon.security.providers.common.OutboundConfig.findTarget(io.helidon.security.SecurityEnvironment)" because "this.outboundConfig" is null. Subject java.lang.NullPointerException: Cannot invoke "io.helidon.security.providers.common.OutboundConfig.findTarget(io.helidon.security.SecurityEnvironment)" because "this.outboundConfig" is null"
19:50:43.592 [[0x5bd0f467 0x4b85fb37] WebServer socket] WARN  i.h.s.p.i.m.IdcsRoleMapperProviderBase.performLog(152) - Cannot read groups for user "xxx". Error message: Failed to invoke request
@jwveldhuis jwveldhuis changed the title IDCS Role Mapper is using wrong access token on IDCC Asserter endpoint IDCS Role Mapper is using wrong access token on IDCS Asserter endpoint Jan 23, 2024
@Verdent Verdent self-assigned this Jan 24, 2024
@Verdent
Copy link
Member

Verdent commented Jan 24, 2024

Hi @jwveldhuis ,
Thank you for reporting this. This is unfortunately mix of the several issues, which will be fixed in the new release. Thank you for reporting this.

@Verdent Verdent mentioned this issue Jan 24, 2024
Merged
@barchetta barchetta added this to the 4.0.4 milestone Jan 24, 2024
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Verdent Verdent

Labels
None yet
Projects
Backlog
Archived in project
Milestone
4.0.4
Development

Successfully merging a pull request may close this issue.

Http client protocol creation not honoring disabled service discovery Verdent/helidon
3 participants
@Verdent @jwveldhuis @barchetta