Problems with openid_connect authentication
1,024 views
Skip to first unread message
Olav Bringedal
Apr 4, 2016, 8:33:36 AM4/4/16
to Canvas LMS Users
Hi
Here is the account_authorization_configs:
{"id":5,
"auth_type":"openid_connect",
"position":1,
"client_id":"dd0530c2-0dfa-4a0b-94bc-31c86cfaf74d",
"authorize_url":"https://myprovider.com/oauth/authorization",
"token_url":"https://myprovider.com/oauth/token",
"scope":"profile userid",
"login_attribute":"userid",
"jit_provisioning":false}When trying to log in, the flow is like this:
...
https://myprovider.com/login.php?asLen=905&AuthState=[****] 200
https://myprovider.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp 302
https://myprovider.com/oauth/authorization?client_id=[****]&redirect_uri=https%3A%2F%2Fmycanvas.com%2Flogin%2Foauth2%2Fcallback&response_type=code&scope=openid+userid&state=[****] 302
https://mycanvas.com/login/oauth2/callback?code=[****]&state=[****] 302
(shouldn't token endpoint be here?)
https://mycanvas.com/login 200So no use of "https://myprovider.com/oauth/token" at all
Do anyone have any suggestions on how to proceed with finding a solution to this?
Thankful for any input!
Olav Bringedal
University of Bergen
Cody Cutrer
Apr 4, 2016, 10:54:31 AM4/4/16
to canvas-l...@googlegroups.com
Olav,
The request to the token endpoint occurs on the back end, from server to server. You won't see it logged by your browser. I'm guessing your final page says "There was a problem logging in at <school>"? If so, you should check your Canvas server logs to see what the error was.
As datapoints, Canvas routinely works with Google and Microsoft via OpenID Connect (the latter will be going to the beta branch today). I'm also aware of at least one other user that's successfully using OpenID Connect with their own provider.
That said, it looks like you're trying to authenticate against SimpleSAML. Is there a reason you're preferring the OpenID Connect protocol over SAML?
Cody Cutrer
Software Engineer
Instructure
--
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Olav Bringedal
Apr 5, 2016, 5:10:00 AM4/5/16
to canvas-l...@googlegroups.com
Hi
Thanks for quick reply. The server log is as follows (edited a bit):
>
> 2016-04-04T12:37:22Z 15489 Started GET "/login/openid_connect" for [****] at 2016-04-04 14:37:22 +0200
> 2016-04-04T12:37:22Z 15489 Processing by Login::Oauth2Controller#new as HTML
> 2016-04-04T12:37:22Z 15489 SQL AccountAuthorizationConfig Load (1.1ms) SELECT "account_authorization_configs".* FROM "account_authorization_configs" WHERE "account_authorization_configs"."account_id" = 1 AND (workflow_state <> 'deleted') AND "account_authorization_configs"."auth_type" = 'openid_connect' ORDER BY "account_authorization_configs"."position" ASC LIMIT 1 [["account_id", 1]] [production:1 master]
> 2016-04-04T12:37:22Z 15489 Redirected to https://myprovider.com/oauth/authorization?client_id=dd0530c2-0dfa-4a0b-94bc-31c86cfaf74d&redirect_uri=https%3A%2F%2Fmycanvas.com2Flogin%2Foauth2%2Fcallback&response_type=code&scope=openid+userid&state=[****]
> 2016-04-04T12:37:22Z 15489 Completed 302 Found in 8ms (ActiveRecord: 1.1ms)
> 2016-04-04T12:37:35Z 15489 Started GET "/login/oauth2/callback?code=[****]&state=[****]" for [****] at 2016-04-04 14:37:35 +0200
> 2016-04-04T12:37:35Z 15489 Processing by Login::Oauth2Controller#create as HTML
> 2016-04-04T12:37:35Z 15489 Parameters: {"code"=>"[****]", "state"=>"[****]"}
> 2016-04-04T12:37:35Z 15489 SQL AccountAuthorizationConfig Load (0.7ms) SELECT "account_authorization_configs".* FROM "account_authorization_configs" WHERE "account_authorization_configs"."id" = 5 LIMIT 1 [["id", 5]] [production:1 master]
> 2016-04-04T12:37:35Z 15489 Received OAuth2 login for unknown user: [], redirecting to: https://mycanvas.com/login.
> 2016-04-04T12:37:35Z 15489 Redirected to https://mycanvas.com/login
I don't see any trace of token endpoint either here or in the log. I
don't have access to the provider's logs so I don't know for sure.
I think the simplesaml you see is just a part of the path the provider
uses (it is a service in pilot for edu related customers on a national
level). Not sure though, but I use the info provided me by the service.
Thanks again.
Olav
> <http://myprovider.com/login.php?asLen=905&AuthState=[****]> 200
> https://myprovider.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
> <http://myprovider.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp>
> <http://myprovider.com/oauth/authorization?client_id=[****]&redirect_uri=https%3A%2F%2Fmycanvas.com%2Flogin%2Foauth2%2Fcallback&response_type=code&scope=openid+userid&state=[****]>
> <http://mycanvas.com/login/oauth2/callback?code=[****]&state=[****]> 302
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> https://groups.google.com/d/topic/canvas-lms-users/Gwq0mZ2UP28/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> canvas-lms-use...@googlegroups.com
> <mailto:canvas-lms-use...@googlegroups.com>.
--
mvh
Olav Bringedal
Thanks for quick reply. The server log is as follows (edited a bit):
>
> 2016-04-04T12:37:22Z 15489 Started GET "/login/openid_connect" for [****] at 2016-04-04 14:37:22 +0200
> 2016-04-04T12:37:22Z 15489 Processing by Login::Oauth2Controller#new as HTML
> 2016-04-04T12:37:22Z 15489 SQL AccountAuthorizationConfig Load (1.1ms) SELECT "account_authorization_configs".* FROM "account_authorization_configs" WHERE "account_authorization_configs"."account_id" = 1 AND (workflow_state <> 'deleted') AND "account_authorization_configs"."auth_type" = 'openid_connect' ORDER BY "account_authorization_configs"."position" ASC LIMIT 1 [["account_id", 1]] [production:1 master]
> 2016-04-04T12:37:22Z 15489 Redirected to https://myprovider.com/oauth/authorization?client_id=dd0530c2-0dfa-4a0b-94bc-31c86cfaf74d&redirect_uri=https%3A%2F%2Fmycanvas.com2Flogin%2Foauth2%2Fcallback&response_type=code&scope=openid+userid&state=[****]
> 2016-04-04T12:37:22Z 15489 Completed 302 Found in 8ms (ActiveRecord: 1.1ms)
> 2016-04-04T12:37:35Z 15489 Started GET "/login/oauth2/callback?code=[****]&state=[****]" for [****] at 2016-04-04 14:37:35 +0200
> 2016-04-04T12:37:35Z 15489 Processing by Login::Oauth2Controller#create as HTML
> 2016-04-04T12:37:35Z 15489 Parameters: {"code"=>"[****]", "state"=>"[****]"}
> 2016-04-04T12:37:35Z 15489 SQL AccountAuthorizationConfig Load (0.7ms) SELECT "account_authorization_configs".* FROM "account_authorization_configs" WHERE "account_authorization_configs"."id" = 5 LIMIT 1 [["id", 5]] [production:1 master]
> 2016-04-04T12:37:35Z 15489 Received OAuth2 login for unknown user: [], redirecting to: https://mycanvas.com/login.
> 2016-04-04T12:37:35Z 15489 Redirected to https://mycanvas.com/login
I don't see any trace of token endpoint either here or in the log. I
don't have access to the provider's logs so I don't know for sure.
I think the simplesaml you see is just a part of the path the provider
uses (it is a service in pilot for edu related customers on a national
level). Not sure though, but I use the info provided me by the service.
Thanks again.
Olav
> https://myprovider.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
> <http://myprovider.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp>
> <http://myprovider.com/oauth/authorization?client_id=[****]&redirect_uri=https%3A%2F%2Fmycanvas.com%2Flogin%2Foauth2%2Fcallback&response_type=code&scope=openid+userid&state=[****]>
> <http://mycanvas.com/login/oauth2/callback?code=[****]&state=[****]> 302
> (shouldn't token endpoint behere?)
> https://mycanvas.com/login <http://mycanvas.com/login> 200
> |
>
>
> So no use of "https://myprovider.com/oauth/token" at all
>
> Do anyone have any suggestions on how to proceed with finding a
> solution to this?
>
> Thankful for any input!
>
> Olav Bringedal
> University of Bergen
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Canvas LMS Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to canvas-lms-use...@googlegroups.com
> <mailto:canvas-lms-use...@googlegroups.com>.
>
>
> So no use of "https://myprovider.com/oauth/token" at all
>
> Do anyone have any suggestions on how to proceed with finding a
> solution to this?
>
> Thankful for any input!
>
> Olav Bringedal
> University of Bergen
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Canvas LMS Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to canvas-lms-use...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "Canvas LMS Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/canvas-lms-users/Gwq0mZ2UP28/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> canvas-lms-use...@googlegroups.com
> <mailto:canvas-lms-use...@googlegroups.com>.
--
mvh
Olav Bringedal
Cody Cutrer
Apr 5, 2016, 10:45:01 AM4/5/16
to canvas-l...@googlegroups.com
Olav,
Ah, `Received OAuth2 login for unknown user: []` is the key point of that log. It successfully exchanged the code for an access token, but the id_token embedded in the access_token did not contain any information (presumably in the `sub` field, unless you explicitly set the Login Attribute when you configured the OpenID Connect provider in Canvas). Because there wasn't a different error before that, we can assume that the id_token field does exist, and is a valid JWT. You can investigate further by adding `Rails.logger.info(jwt.inspect)` before the current line 54 (`jwt[login_attribute]`) of app/models/account_authorization_configs/open_id_connect.rb, restarting your server, and then trying again.
Cody Cutrer
Software Engineer
Instructure
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
Olav Bringedal
Apr 8, 2016, 3:23:29 AM4/8/16
to Canvas LMS Users
Thanks, that got me a step further.
The debug gave me:
2016-04-08T07:14:20Z 8265 {"iss"=>"https://auth.myprovider.com", "aud"=>"one_hash", "sub"=>"another_hash", "iat"=>1460099662, "exp"=>1460103262, "auth_time"=>1460099662}
which is the jwt from the auth endpoint. I have enabeled scope userid in the provider setup and also set that in the canvas config (see op), but isn't that returned in the token endpoint and not auth? or have i misunderstood the flow?
Olav
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to a topic in the
Google Groups "Canvas LMS Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/canvas-lms-users/Gwq0mZ2UP28/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
canvas-lms-use...@googlegroups.com
For more options, visit https://groups.google.com/d/optout.
Cody Cutrer
Apr 8, 2016, 1:50:42 PM4/8/16
to canvas-l...@googlegroups.com
Olav,
Is "another_hash" a string literal of another_hash, or is a hash that you sanitized? Cause if it's actually a hash, then yes, Canvas won't understand it. I've yet to run into a provider that doesn't give a string for the `sub` value. As for the scope of `userid`, it is totally dependent on your provider what additional scopes will do, and if they'll enable additional fields to be returned in the id_token, or if they just grant access to additional endpoints. OpenID Connect doesn't specify any of that. Of the existing OpenID Connect providers that Canvas is preconfigured for (Microsoft, Google), adding an additional scope causes additional keys to be added to the id_token itself (and not nested under the `sub` attribute). You can go look at the spec and see that `sub` _must_ be a case sensitive string value: http://openid.net/specs/openid-connect-core-1_0.html#IDToken, so if your provider is giving a Hash there, it is not valid OpenID Connect, and Canvas won't support it with the generic implementation. It should be simple enough to add a special case provider to Canvas though, inheriting from AccountAuthorizationConfig::OpenIDConnect, and overriding the unique_id method to handle the idiosyncrasies of your provider. Depending on who/what software your provider actually is, such a specialization may be a candidate for inclusion in to the regular version of Canvas. https://github.com/instructure/canvas-lms/commit/34caff40e3ba1e6148084dd8e491a11442460e70 gives a reasonable example of doing so.
Cody Cutrer
Software Engineer
Instructure
<mailto:canvas-lms-use...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to a topic in the
Google Groups "Canvas LMS Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/canvas-lms-users/Gwq0mZ2UP28/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
canvas-lms-use...@googlegroups.com
<mailto:canvas-lms-use...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
mvh
Olav Bringedal
--
--- You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Andreas Åkre Solberg
Apr 12, 2016, 9:39:36 AM4/12/16
to Canvas LMS Users
On Friday, April 8, 2016 at 7:50:42 PM UTC+2, Cody Cutrer wrote:
Olav,
Is "another_hash" a string literal of another_hash, or is a hash that you sanitized? Cause if it's actually a hash, then yes, Canvas won't understand it. I've yet to run into a provider that doesn't give a string for the `sub` value. As for the scope of `userid`, it is totally dependent on your provider what additional scopes will do, and if they'll enable additional fields to be returned in the id_token, or if they just grant access to additional endpoints. OpenID Connect doesn't specify any of that. Of the existing OpenID Connect providers that Canvas is preconfigured for (Microsoft, Google), adding an additional scope causes additional keys to be added to the id_token itself (and not nested under the `sub` attribute). You can go look at the spec and see that `sub` _must_ be a case sensitive string value: http://openid.net/specs/openid-connect-core-1_0.html#IDToken, so if your provider is giving a Hash there, it is not valid OpenID Connect, and Canvas won't support it with the generic implementation. It should be simple enough to add a special case provider to Canvas though, inheriting from AccountAuthorizationConfig::OpenIDConnect, and overriding the unique_id method to handle the idiosyncrasies of your provider. Depending on who/what software your provider actually is, such a specialization may be a candidate for inclusion in to the regular version of Canvas. https://github.com/instructure/canvas-lms/commit/34caff40e3ba1e6148084dd8e491a11442460e70 gives a reasonable example of doing so.
Dataporten provides a UUIDv4 represented as a JSON string as a sub-value. In example it may look like this:
{
"iss": "https://auth.dataporten.no",
"aud": "a75e5743-afcb-4948-b91e-1731b7708092",
"sub": "9f70f418-3a75-4617-8375-883ab6c2b0af",
"iat": 1457355586,
"exp": 1457359186,
"auth_time": 1457349875
}
As far as I understand, an ASCII string like this is valid according to the OpenID Connect spec.
I do not know anything about Canvas, so I'm sorry if this question is not relevant:
Is the openid connect authentication module attempting to use the IDToken:sub value as a userid, and then provision the user from that?
Olavs configuration sample says:
"login_attribute":"userid",
"jit_provisioning":false
"jit_provisioning":false
I can imagine that just in time provisioning needs to be set to true for canvas to allow users whos userid is not already populated in the local user store.
May be login_attribute should be set to "sub", in order to populate users from IDToken:sub.
To which extend does Canvas support other attributes to represent the UserID? Does it support looking up an userinfo endpoint using the OAuth access token?
Or is the login_attribute limited to represent properties within the ID token?
Andreas
Cody Cutrer
Apr 12, 2016, 11:22:34 AM4/12/16
to canvas-l...@googlegroups.com
Yes, that does look like a valid id_token. You are correct in how jit_provisioning works (automatically creating users in Canvas if they don't already exist). But your login_attribute should probably be "sub", not "userid". The login_attribute tells Canvas which field of the ID token to use to look up the user is Canvas. And no, it does not support querying any other endpoint after getting the access token - that would not be OpenID Connect. If you need to do that, you need to create a custom provider in Canvas that will do that extra lookup (like all of the other OAuth2 providers, such as Facebook and LinkedIn, which are OAuth2, but not OpenID Connect).
Cody Cutrer
Software Engineer
Instructure
--
Olav Bringedal
Jun 30, 2016, 8:25:23 AM6/30/16
to Canvas LMS Users
Hi
In our case sec has no useful info as it cannot be correlated to a person.
The spec for openid connect spec allows for the use if userinfo endpoint:
Even if it is a bit cumbersome to use just to have an email/userid, i think it should be considered to be included.
Olav Bringedal
Cody Cutrer
Jun 30, 2016, 1:39:28 PM6/30/16
to canvas-l...@googlegroups.com
Olav,
It's possible Canvas will support the user info endpoint in the future. I've been working on a some new features for other login providers, where the userinfo endpoint would be the logical analog with OpenID Connect. Once the rest of the stuff I've been working on gets merged in, I'll see if can sneak in userinfo support for OpenID Connect.
Cody Cutrer
Software Engineer
Instructure
Olav Bringedal
Jul 1, 2016, 1:39:18 AM7/1/16
to Canvas LMS Users
Excellent. Thank you!
Cody Cutrer
Jul 18, 2016, 12:11:32 PM7/18/16
to Canvas LMS Users
Olav,
I'm reviewing the OpenID spec in preparation for adding userinfo support. My original understanding was correct: http://openid.net/specs/openid-connect-core-1_0.html#IDToken The ID Token MUST provide a sub, and the sub MUST be unique, and MUST NOT be reassigned (i.e. it must correlate to the same person every time). So either you're referring to a different type of correlation (you don't know how to correlate the sub that your OpenID Connect server is generating for users to the userid that your other systems know about), or your server is out of spec (generating a new, random sub each time a user logs in).
Cody Cutrer
Software Engineer
Instructure
Message has been deleted
Olav Bringedal
Dec 7, 2016, 8:24:27 AM12/7/16
to Canvas LMS Users
Hi I see my last message was deleted. was that intentional?
Simon Williams
Dec 7, 2016, 11:22:37 AM12/7/16
to canvas-l...@googlegroups.com
Hi Olav,
One of your previous messages was flagged as spam, but I released it on Dec 2 and it showed up for me. I don’t see any new pending messages, but feel free to re-send it if you’d like.
Simon
Olav Bringedal
Dec 8, 2016, 7:49:46 AM12/8/16
to Canvas LMS Users
sorry, it only says "This message has been deleted." to me.
Olav Bringedal
Dec 22, 2016, 2:13:35 AM12/22/16
to Canvas LMS Users
Hi
Thank you for putting in the endpoint support (and not least; explaining the sub problem for me)!
Olav Bringedal
However
we have still a problem with the endpoint's connection to
"login_attribute". After the token and endpoint merge it looks like
this:
aud: 74***********************a6
sub: 66***********************4f
iat: 1480511944
exp: 1480515544
auth_time: 1480497941
user:
userid_sec: []
userid: 66***********************4f
email: Olav.Bringedal@**********.**
audience: 74***********************a6
My
question is, how do I refer to 'user/email' as login_attribute in
the AccountAuthorizationConfig? I tried to just putting in the hash
user['email'], but that didn't seem to compute :-)
Thanks again
Reply all
Reply to author
Forward
0 new messages