PAS SSO producer app not inserting CP properties

Posted by ssouthwe on 24-Feb-2020 16:13

I have a little PAS app that I'm using to generate an SSO token that I use to log the user in to another PAS service.

In the originating oeablSecurity.properties, I have this:

...

OESSOTokenManager.tokenPolicy=always
OESSOTokenManager.ssoTokenURLOption=OECP
OESSOTokenManager.ssoTokenExpires=28800
OESSOTokenManager.ssoAllowScope=
OESSOTokenManager.ssoGrantScope=
OESSOTokenManager.ssoTokenRefresh=true
OESSOTokenManager.ssoRefreshDeltaTime=28800
OESSOTokenManager.springRolePrefix=

---

OEClientPrincipalFilter.enabled=true
OEClientPrincipalFilter.registryFile=ABLDomainRegistry.keystore
OEClientPrincipalFilter.domain=mycompany.com
OEClientPrincipalFilter.roles=
OEClientPrincipalFilter.authz=true
OEClientPrincipalFilter.expires=28800
OEClientPrincipalFilter.accntinfo=true
OEClientPrincipalFilter.ccid=false
OEClientPrincipalFilter.anonymous=false
OEClientPrincipalFilter.sealAnonymous=false
OEClientPrincipalFilter.appName=OE
OEClientPrincipalFilter.forwardToken=false
OEClientPrincipalFilter.passthru=false
OEClientPrincipalFilter.domainRoleFilter=
OEClientPrincipalFilter.loadAccntAttrList=*

# Declare placeholders for up to 10 OEClientPrincipalFilter
# properties. Any number of properties larger than 10
# requires customization of authFilters.xml.
#
# Any property 'key' value whose first character is a
# comment (#) is ignored when creating a Client-Principal
# token
OEClientPrincipalFilter.properties.1.key=FirstName
OEClientPrincipalFilter.properties.1.value=Jack

OEClientPrincipalFilter.properties.2.key=LastName
OEClientPrincipalFilter.properties.2.value=TestGuy

OEClientPrincipalFilter.properties.3.key=Organization
OEClientPrincipalFilter.properties.3.value=TestCompany

I would expect that the 3 properties I have set here would come through in the client principal, but when I get the CP's property list, it is completely empty.

What should I be doing to get properties set in the SSO token?

All Replies

Posted by Blake Stanford on 27-Feb-2020 21:02

Sorry I don't have an answer, but I do have a question.  I'm trying the same thing minus the extra key information, and have been unsuccessful at actually getting a token back.  Do you mind sharing your config and your post request?

Posted by Michael Jacobs on 27-Feb-2020 22:11

Steve,

Are you using OERealm as the authManager by any chance?  

I have a running test configuration and I'll try your configuration using the local text file accounts.  Then maybe we can find you a definitive answer.

Posted by ssouthwe on 28-Feb-2020 02:25

Michael, on this particular one, I'm just using the little oeablSecurity.csv file.  It's a service only used by developers.

## Southwell's setup for a basic SSO producer for testing purposes
 http.all.authmanager=local
 client.login.model=form
 http.all.realm=OpenEdge



Posted by ssouthwe on 28-Feb-2020 02:36

Blake, the relevant parts of the config are in the original post, and the extra part I sent Michael.

As far as how you would get ahold of the token, here's a snippet of JavaScript (I use it with jQuery.  I'd send you the whole thing, but it's full of other client stuff.:

<script>
var authurl = "localhost:8820/.../j_spring_security_check";
var refreshurl = "localhost:8820/.../token
var myCPO;
var CPODateTime;
var expireseconds;
var ExpiresDateTime;
var refreshtoken
var resturl = "localhost:8820/.../test";
$( document ).ready(function(){
    $("#login").click(function(){
         // Do a REST call to get a session going
         var data = {
           j_username: $("#username").val(),
           j_password: $("#password").val()
         };
         var request = {
           url: authurl,
           method: "POST",
           contentType: "application/x-www-form-urlencoded",
           headers: {accept: "application/json"},
           data: data,
           success: function(response,status,x) {
               console.log(response,status,x);
               myCPO = response.access_token;
               refreshtoken = response.refresh_token;
               expireseconds = response.expires_in;
               $("#response").val(JSON.stringify(response));
               CPODateTime = new Date();
               ExpiresDateTime = new Date(CPODateTime + expireseconds);
               $("#tokenobtained").html(CPODateTime);
               $("#expiredatetime").html(ExpiresDateTime);
           }
         };
         $.ajax(request); 
    });
}
</script>


Edit: The markup above is playing havoc with the URLs in my script. Just replace the garbage with straight URLs to your app.

Posted by Blake Stanford on 28-Feb-2020 13:48

Thanks to all,  I found that when I sent the j_username and j_password in as query string it worked.  Seems strange that would be the case with a post request???

From Postman I was using the below without success.  In the logs, the username and password were not being set:

curl --location --request POST 'localhost:8170/.../j_spring_security_check --header 'Accept: application/json' --form 'j_username=restuser' --form 'j_password=password'

Then out of morbid curiosity this morning tried:

curl --location --request POST 'localhost:8170/.../j_spring_security_check?j_username=restuser&j_password=password' 'Accept: application/json' 

With query parameters I could see in the logs that the username and password were getting in correctly but had a different error:

  c.p.a.s.s.OEClientPrincipalFilter - Error converting Spring token to OEAuthenticationToken: java.lang.IndexOutOfBoundsException: No group 1

I found a post by BartMille about the OEClientPrincipalFilter.domainRoleFilter being set when it didn't need to be.  I checked my config and sure enough I had set it to ROLE_PSCUser.  I'm not sure why, but remove it.

What a great feeling to see:

{
    "access_token": "AKAAAQAAAAEAAKAAAgAAAAlyZXN0dXNlcgAAkAALAAAACAAAAABeWDvBADAADAAAAAIADACgABoAAAAPU1NPQWNjZXNzVG9rZW4AAKAADQAAAA1ST0xFX1BTQ1VzZXIAAKAADwAAADNCRTkzMkEwRDBGQUVCMDVCMkY3Njk3QTI3OTc3MDdDREMxRTNEOTY2QjBENC5vZWlkcAAA0AAQAAAACAAAAABeWEnRANAAFwAAAAj////////+1ADQABsAAAAI/////////tQA0AAcAAAACAAAAAAMwnAPALAAFQAAABDyme4zJKAGv51GR+AP1rEh",
    "refresh_token": "eeb8beb5-6d5f-437b-9fe1-67552637c519.oeidp",
    "token_type": "oecp",
    "expires_in": 3600
}

all of the frustration, head banging, foot stomping and swearing stopped when that first token was returned.  At this point 7:43am I'm going home, as there is no point in working any longer I'm going to have a bigger success.

A special thanks to Mike J.  He provided me with examples and answered many questions!

Posted by Blake Stanford on 03-Mar-2020 16:12

Was resolution to Steve's original question made?  After I got my token generator up and running against local user.properties and also OERealm, I have the same situation where the properties in the generated sso token are blank.

Posted by Irfan on 04-Mar-2020 16:10

Hi Blake & Steve,

This is a bug and I have logged one - ADAS-22494 . We exactly know why it would be happening and will let you know when we have a fix and how to proceed further.

Posted by Shelley Chase on 04-Mar-2020 16:20

Hi Irfan,
 
For future reference, tech support askes that we have the customer log the bug so they are aware of the use case/issue. When engineering logs it, it appears as internal so they do not know about the customer.
 
Thanks
-Shelley
 

Posted by Blake Stanford on 04-Mar-2020 17:40

Thanks Irfan, It's nice to know.  Now I can stop banging my head trying to make it work.

Posted by Blake Stanford on 05-Mar-2020 13:03

FWIW.....just in case it wasn't clear, any attributes that get added to the CP from the OERealm class as additional properties don't make it to the SSO token.  Not just static properties from the securities.properties file.  Roles assigned in the OERealm class do appear to make it to the SSO

 METHOD PUBLIC OVERRIDE CHARACTER GetAttribute ( INPUT piUserID   AS INTEGER,
                                                                                                  INPUT pcAttrName AS CHARACTER ):

   DEFINE VARIABLE cValue AS CHARACTER NO-UNDO INITIAL ?.

   IF NOT THIS-OBJECT:validateRequest("GetAttribute") THEN
     MESSAGE "Unauthorized request".
   ELSE
     CASE pcAttrName:
       WHEN OERealmDefs:REALM_ATTR_ENABLED THEN
         ASSIGN
           cValue = STRING(isActive(piUserID), "1/0").
       WHEN OERealmDefs:REALM_ATTR_LOCKED THEN
         ASSIGN
           cValue = STRING(isLocked(piUserID), "1/0").
       WHEN OERealmDefs:REALM_ATTR_EXPIRED THEN
        ASSIGN
          cValue = STRING(isExpired(piUserID), "1/0").
       WHEN OERealmDefs:REALM_ATTR_ROLES THEN
         ASSIGN
           cValue = getUserRoles(piUserID).
      WHEN OERealmDefs:REALM_ATTR_PROPERTIES THEN
         DO:
           cMyContextID =  GUID (GENERATE-UUID).
           DEFINE VARIABLE jsonObj AS JSONObject.
           jsonObj = NEW JSONObject().
           jsonObj:add("MyContextID",cMyContextID).
           jsonObj:Write(cValue, false).
         END.
       OTHERWISE
       ASSIGN
         cValue = ?.
     END CASE.
   RETURN cValue.

end method.

METHOD PUBLIC OVERRIDE CHARACTER getUserRoles ( INPUT piUserID AS INTEGER ):
DEFINE VARIABLE lValidProdUser AS LOGICAL NO-UNDO.

RETURN "MyUser".

end method.

 

This thread is closed