openid not working with webapi/atlas when using Azure AD application

[scivm]

I have configured openid to use an azure AD application and go through the entire openid login flow but in the end the user is not authenticated and I see "Log in" on the Atlas page. I am compiling webapi from source and using latest code for both webapi and atlas (I first tried with github ouath in a different environment and was able to authenticate ok)

I've noticed in the openid flow one of the location headers is wrong for calling url https://xxx.xxx.xxx/WebAPI/user/login/openid?redirectUrl=/home. location header has the home url and encoded data appended directly to it without a parameter

Location: https://xxx.xxx.xxx/atlas/#/welcomeeyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleHQxMTA0ODg0MEBodXN0aWV0b2FsbGFzLmZpIiwiZXhwIjoxNjA2OTc5Mzc1fQ.TeUHdAwEo_5Cq7h9GwV9VY5-cGNk311o4-hQ1CtpTjgupUrQJBmKlgNOpg3ardMnLi8ZBLVpcUXjopSco4nnqA

And here is that same location header when I try out the github auth

Location: http://xxx.xxx.xxx/atlas/#/welcome/null/eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzaGFtYmVyZ2VybUBnbWFpbC5jb20iLCJleHAiOjE2MDcwNDk4MDF9.aoaV-NgGGpL8jBLlGKXzQwBC7FFtPANSa1Sih9HdmelWeiFxPRFki7xi9MvQ0rEHzyAaRoHOB-m0yVIE16lONw/%2Fhome

security.provider=AtlasRegularSecurity
security.cors.enabled=true
security.token.expiration=43200
security.origin=*
security.ssl.enabled=false   (terminating ssl in nginx in front of webapi/atlas)
security.oid.clientId=xxxxx
security.oid.apiSecret=xxxxx
security.oid.url=https://login.microsoftonline.com/xxxxx/v2.0/.well-known/openid-configuration
security.oid.redirectUrl=https://xxx.xxx.xxx/atlas/#/welcome
security.oid.logoutUrl=https://xxx.xxx.xxx/atlas/#/welcome

I have added some extra logging and do not see any errors in webapi:

2020-12-02 06:41:14.075 DEBUG http-nio-8080-exec-5 org.pac4j.core.engine.DefaultSecurityLogic -  - authorizers: null
2020-12-02 06:41:14.075 DEBUG http-nio-8080-exec-5 org.pac4j.core.authorization.checker.DefaultAuthorizationChecker -  - Checking authorizer: org.pac4j.core.authorization.authorizer.CsrfAuthorizer@353edea7 -> true
2020-12-02 06:41:14.075 DEBUG http-nio-8080-exec-5 org.pac4j.core.engine.DefaultSecurityLogic -  - authenticated and authorized -> grant access
2020-12-02 06:41:14.075 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - Checking principal
2020-12-02 06:41:14.076 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - use preferred_username if email is null
2020-12-02 06:41:14.076 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - session is not null so stopping // stop session to make logout of OAuth users possible
2020-12-02 06:41:14.244 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - creating jwt token
2020-12-02 06:41:14.410 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - setting jwt to token attribute
2020-12-02 06:41:14.484 INFO http-nio-8080-exec-5 org.ohdsi.webapi.shiro.filters.UpdateAccessTokenFilter -  - permissions: [source:daimon:priority:get, source:*:get, user:me:get, role:*:get, cache:clear:get, role:*:users:get, source:post, user:import:job:*:delete, *:person:*:get:dates, user:import:*:mapping:post, user:import:job:*:put, permission:get, role:post, user:runas:post, user:import:*:mapping:get, user:import:job:*:history:get, comparativecohortanalysis:*:put, user:import:job:*:get, user:import:*:post, user:get, role:*:permissions:get, source:details:*:get, cohortanalysis:post, role:*:users:*:put, comparativecohortanalysis:*:copy:get, user:import:job:get, configuration:edit:ui, role:get, user:import:job:post, source:*:daimons:*:set-priority:post, user:providers:get, user:import:*:test:get, user:import:*:groups:get, user:import:post, role:1:permissions:*:delete, comparativecohortanalysis:*:delete, role:1:permissions:*:put, role:*:users:*:delete, source:connection:*:get, source:*:put, source:*:delete]

In Atlas, I am seeing the following after the authentication redirects:

There was another issue that openid is using the user email as a required field though some organizations may not use this field. I was able to workaround this by adding the following code in filters/UpdateAccessTokenFilter.java. It would be good to be able to specify an alternate field besides email.

      /**
      * If email or name not set then use another field
      */
      if (login == null && ((Pac4jPrincipal)principal).getProfile().getAttribute("preferred_username") != null) {
        logger.info("use preferred_username if email is null");
        login = ((Pac4jPrincipal)principal).getProfile().getAttribute("preferred_username").toString();
      }
      if (name == null && ((Pac4jPrincipal)principal).getProfile().getAttribute("preferred_username") != null) {
        logger.info("use preferred_username if name is null");
        name = ((Pac4jPrincipal)principal).getProfile().getAttribute("preferred_username").toString();
      }

[scivm]

workaround is to do the following:
security.oid.redirectUrl=https://xxx.xxx.xxx/atlas/#/welcome
to
security.oid.redirectUrl=https://xxx.xxx.xxx/atlas/#/welcome/null/

I was able to successfully authenticate. Now even though I am admin I am still denied all resources except Configuration so still some work to do...

[ssaranathan]

Hi @scivm ,
Were you able to authenticate via OpenID ? I am trying to authenticate, and I am Getting Error 500 and my URL is stuck at:

https://xxx/WebAPI/user/login/openid?redirectUrl=/home

Any help would be greatly appreciated.

@anthonysena
Thanks,
Sundar.

[scivm]

I was able to get it working with the workaround I posted above for security.oid.redirectUrl. 500 error might be putting something to the server logs if you put it in debug? Or is this more information if you use chrome developer tools. I just kept adding debug on client and server side until I figured it out. It took days.

[ssaranathan]

Thanks @scivm , In the logs, I see this:

Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: https://xxx/oidc/endpoint/default/authorize

Which means that the Client ID is not being passed in the request. I do have the <security.oid.clientId> and <security.oid.apiSecret> defined in the settings.xml. Anything else I am missing ? Thanks for your help.

[ssaranathan]

Hi @scivm

Though I have specified a redirect URL in the settings.xml, ( <security.oid.redirectUrl>https://xxx/atlas/#/welcome/null/ </security.oid.redirectUrl>)

I see the redirect URL in the call to the OID authorization end point is something like this: https://localhost:8080/WebAPI/user/oauth/callback/OidcClient

Any idea what is wrong ?

[ssaranathan]

Hi @scivm ,
Please let me know if you have any suggestions. Kind of stuck with this issue.

Appreciate your time and help,

Thanks

[alex-odysseus]

Good day, Everybody

Your issue should be resolved by #1695 so that the workaround is no longer necessary. You could try it on the master branch

@scivm please file a separate issue for your request about the "preferred_username" claim (https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). I would appreciate if you could add any further details for your requirements

[KSadomtsev]

closed due to #1711 (comment)

[migldasilva]

Hi @ssaranathan , here goes my findings about this "problem" with the URL callback (actually, for the sake of completitude). After digging a little bit into the code, I found that this URL is defined using the option security.oauth.callback.api, even though you're going for OpenID.

In the file java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java, you'll see the following lines.

if (this.openidAuthEnabled) {
    OidcConfiguration configuration = oidcConfCreator.build();
    OidcClient oidcClient = new OidcClient(configuration);
    oidcClient.setCallbackUrl(oauthApiCallback);
    oidcClient.setCallbackUrlResolver(urlResolver);
    if (StringUtils.isNotBlank(configuration.getClientId())) {
        clients.add(oidcClient);
    }
}

Thus, for changing the callback URL, you could set a proper value for security.oauth.callback.api.