Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17493

OAuth2 node does not support external proxy authentication (user/pass)

    XMLWordPrintable

Details

    • Rank:
      1|hztpid:
    • AM Sustaining Sprint 83, AM Sustaining Sprint 84, AM Sustaining Sprint 85, AM Sustaining Sprint 86, AM Sustaining Sprint 87, AM Sustaining Sprint 88, AM Sustaining Sprint 89
    • 3
    • Yes
    • No
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

    Description

      Bug description

      Proxy credentials are not picked up by the code and authentication fails. 

      How to reproduce the issue

      Set up an OAuth2 node in an auth tree to integrate with an external OAuth2 Provider - AM is the OAuth2 client in this case.

      The external OAuthProvider should only be reachable via a proxy.

      The proxy should require user / pass authentication. 

      Configure the tomcat/bin/setenv.sh with the following: 

      http.proxyHost=host.example.com
      http.proxyPort=80
      http.proxyUser=demo
      http.proxyPassword=test123
      https.proxyHost=host.example.com
      https.proxyPort=8081
      https.proxyUser=demo
      https.proxyPassword=test1234

      (Optional) Configure HTTP forward proxy via /etc/hosts to use a local Apache HTTP server-based HTTP forward proxy.

      In addition, set the following: 

      org.forgerock.openam.httpclienthandler.system.proxy.enabled : true

      and an Apache HTTP client, using the proxy host and port. 

      Observe the exception (when AM tries to fetch the access token from the external OAuth provider), which reveals that the proxy URL and port are picked up, but the proxy user and password are not:  

      o.a.h.i.n.c.InternalIODispatch: 2021-03-02 11:05:06,405: Thread[I/O dispatcher 22]: TransactionId[]
      DEBUG: http-outgoing-5 [ACTIVE(415)] Response received
      o.a.h.i.n.c.MainClientExec: 2021-03-02 11:05:06,405: Thread[I/O dispatcher 22]: TransactionId[]
      DEBUG: [exchange: 6] Response received HTTP/1.1 407 Proxy Authentication Required
      Expected behaviour
      Authentication success. 
      
      Current behaviour
      Authentication failure. 
      

      Work around

      Customer has proposed a self-identified and developed patch. 

      Code analysis:

      From org.forgerock.http:chf-client-apache-async:26.0.1:

      org.forgerock.http.apache.async.AsyncHttpClientProvider

      Method

      public HttpClient newHttpClient(Options options)

      throws

      HttpApplicationException { }

      ProxyInfo is null in the following code snippet:

      AuthenticationStrategy proxyStrategy = NoAuthenticationStrategy.INSTANCE;
      ProxyInfo proxyInfo = (ProxyInfo)options.get(HttpClientHandler.OPTION_PROXY);
      if (proxyInfo != null) {
          URI uri = proxyInfo.getProxyUri();
          builder.setProxy(new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme()));
          if (proxyInfo.hasCredentials()) {
              // [...]
              proxyStrategy = ProxyAuthenticationStrategy.INSTANCE;
          }
      }

      Therefore, the HTTP client is constructed with NoAuthenticationStrategy, which explains why the proxy authentication is skipped from the proxy server.

      Attachments

        Issue Links

          Activity

            People

              lawrence.yarham Lawrence Yarham
              alex.belovski Alex Belovski [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: