Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5294

RFE: Clearing OIDC issuer storage/repository.

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: OAuth 2.0
    • Labels:
    • Support Ticket IDs:

      Description

      Problem:

      Need a feature to be able to clear OIDC issuer storage/repository in IG.

      Scenario:

      In this case there is a multi-tenant setup with OIDC identity provider, so the initial well-known OpenID config URL has the form https://<identity-server-url>/login/<tenant-id>/.well-known/openid-configuration. A tenant is set up on identity provider side, so, such an URL becomes accessible and functional as soon as you create a new tenant in provider. If you access OpenID config URL with some non-existent <tenant-id>, the identity server (provider) responds with a HTML markup with the page that says that “Invalid tenant is used”.

      OIDC discovery is scripted and uses an external storage to store mapping between domains and tenants.

      Use cases:

      Use case 1:

      Try to perform OIDC auth flow with access to a tenant that doesn’t exist yet on IdP side (OIDC identity provider). Tenant id in the log “planningcloudtesty_new”). We are getting the following error:

      [vert.x-eventloop-thread-5] WARN o.f.o.f.LogAttachedExceptionFilter @planning-cloud - Response [Status: 500 Internal Server Error] to `http://localhost:4140?discovery=//localhost&goto=http://localhost:8081/` carries an exception [txId:1215abb7-1b98-4592-8a21-3d9a909e9cbb-7]
      com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
      at [Source: (BufferedReader); line: 1, column: 2]
      at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1851)
      Wrapped by: javax.script.ScriptException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
      at [Source: (BufferedReader); line: 1, column: 2]
      at org.forgerock.openig.script.AbstractScriptableHeapObject.rethrowScriptException(AbstractScriptableHeapObject.java:296)
      Wrapped by: org.forgerock.openig.filter.oauth2.client.DiscoveryException: Unable to read well-known OpenID Configuration from 'http://localhost:5000/login/planningcloudtesty_new/.well-known/openid-configuration'
      at org.forgerock.openig.filter.oauth2.client.IssuerRepository$1.lambda$extractConfig$0(IssuerRepository.java:171)

      Now the tenant has been created, which has been confirmed with below curl:

      curl http://localhost:5000/login/planningcloudtesty_new/.well-known/openid-configuration

      {"issuer":"http://localhost:5000/login/planningcloudtesty_new","jwks_uri":"http://localhost:5000/login/planningcloudtesty_new/.well-known/openid-configuration/jwks","authorization_endpoint":"http://localhost:5000/login/planningcloudtesty_new/connect/authorize","token_endpoint":"http://localhost:5000/login/planningcloudtesty_new/connect/token", ...}

      Now if you try to authenticate using the same tenant, the same error is displayed.

      Use case 2:

      Successfully use some tenant (tenant id = “planningcloudtesty_new”) for authentication for a certain domain (this is set in a stored mapping, as mentioned before).

      Change stored mapping to use another tenant (tenant id = “planningcloudtesty”, this can be seen from debug logs from GetAuthTypeFilter.groovy), so we need to have OIDC flow using another well-known OpenID URL now.

      The old OpenID URL (tenant id, “planningcloudtesty_new”) is still used (i.e. discovery is not invoked again). A restart of IG or touching the route file is necessary.

      Workaround:

      Route reload or restarting the IG.

      Attachments:

       Log from use case 1 and 2.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              adrian.wisla Adrian Wisla
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: