Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17493

OAuth2 node does not support external proxy authentication (user/pass)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 7.0.1
    • Fix Version/s: None
    • Component/s: oauth2, trees
    • Labels:
    • Rank:
      1|hztpid:
    • Sprint:
      AM Sustaining Sprint 83, AM Sustaining Sprint 84, AM Sustaining Sprint 85
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      Bug description

      Proxy credentials are not picked up by the code and authentication fails. 

      How to reproduce the issue

      Set up an OAuth2 node in an auth tree to integrate with an external OAuth2 Provider - AM is the OAuth2 client in this case.

      The external OAuthProvider should only be reachable via a proxy.

      The proxy should require user / pass authentication. 

      Configure the tomcat/bin/setenv.sh with the following: 

      http.proxyHost=host.example.com
      http.proxyPort=80
      http.proxyUser=demo
      http.proxyPassword=test123
      https.proxyHost=host.example.com
      https.proxyPort=8081
      https.proxyUser=demo
      https.proxyPassword=test1234

      (Optional) Configure HTTP forward proxy via /etc/hosts to use a local Apache HTTP server-based HTTP forward proxy.

      In addition, set the following: 

      org.forgerock.openam.httpclienthandler.system.proxy.enabled : true

      and an Apache HTTP client, using the proxy host and port. 

      Observe the exception (when AM tries to fetch the access token from the external OAuth provider), which reveals that the proxy URL and port are picked up, but the proxy user and password are not:  

      o.a.h.i.n.c.InternalIODispatch: 2021-03-02 11:05:06,405: Thread[I/O dispatcher 22]: TransactionId[]
      DEBUG: http-outgoing-5 [ACTIVE(415)] Response received
      o.a.h.i.n.c.MainClientExec: 2021-03-02 11:05:06,405: Thread[I/O dispatcher 22]: TransactionId[]
      DEBUG: [exchange: 6] Response received HTTP/1.1 407 Proxy Authentication Required
      Expected behaviour
      Authentication success. 
      
      Current behaviour
      Authentication failure. 
      

      Work around

      Customer has proposed a self-identified and developed patch. 

      Code analysis:

      From org.forgerock.http:chf-client-apache-async:26.0.1:

      org.forgerock.http.apache.async.AsyncHttpClientProvider

      Method

      public HttpClient newHttpClient(Options options)

      throws

      HttpApplicationException { }

      ProxyInfo is null in the following code snippet:

      AuthenticationStrategy proxyStrategy = NoAuthenticationStrategy.INSTANCE;
      ProxyInfo proxyInfo = (ProxyInfo)options.get(HttpClientHandler.OPTION_PROXY);
      if (proxyInfo != null) {
          URI uri = proxyInfo.getProxyUri();
          builder.setProxy(new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme()));
          if (proxyInfo.hasCredentials()) {
              // [...]
              proxyStrategy = ProxyAuthenticationStrategy.INSTANCE;
          }
      }

      Therefore, the HTTP client is constructed with NoAuthenticationStrategy, which explains why the proxy authentication is skipped from the proxy server.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              alex.belovski Alex Belovski
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: