Oauth2 reply URL AzureAD - cannot get oauth data

351 views
Skip to first unread message

bjornf

unread,
Sep 27, 2020, 1:11:49 AM9/27/20
to Thruk
Hi,

Would the redirect/reply-URL for Thruk be https://<whateverisused>/thruk/cgi-bin/login.cgi?

This is what I've configured.  However Thruk is giving me "cannot get oauth data" after IDP/AzureAD login. 

Regards, Bjorn

bjornf

unread,
Sep 27, 2020, 2:23:05 AM9/27/20
to Thruk
When trying with below config I get a "HASH(0x3bbdd48)"  error instead.  Not sure if the API URL is correct. 

<auth_oauth>
  <provider name>
    login         = "Login with AzureAD"
    client_id     = <client id>
    client_secret = <secret> 
    scopes        = openid profile email
    auth_url      = https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/authorize
    token_url     = https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
    api_url       = https://graph.microsoft.com/.default
    login_field   = email
  </provider>
</auth_oauth>

[2020/09/27 08:06:59][xxxxxx][ERROR] ***************************
[2020/09/27 08:06:59][xxxxxx][ERROR] page:    https://xxxxxxxx/thruk/cgi-bin/login.cgi?code=0.AAAA60zokv37q0e-UggMa4eVPxb1ESoctMZBki2Xi4NuELERAC8.AQABAAIAAAB2UyzwtQEKR7-rWbgdcBZINaIlTCQQV_3Nr_zUMop7IQLrBPkx0pkqRXevw7wddgqg0uVmRuIn2mrozLKf8GvorTDCYiISXP-goocIHaZeR_Cna4BTxemLVbwGjtwnw1pyHw0WLMCH1AhcYNRtUNVNJZxDVh_GcIzw14pOOF0wUPnmhdzf_SrnGAgNWE1QwFaroxbHIN4Bdo17PDbXM7_YlccUDKWku9TY6nkCYDi8uQrgi6yahbqgU25eTmhSBf-GgXlaYl6Yl2gNoalQCKoKX7MJmF6FtkwqLhrPZO2NOm3mtZNMmaXvTB8yGQIFmEBwMv4CWk8DmVbMPBadkdK7j-y_x2CSZQn3I758e9XVOwK0V6F_337TQsdkGYAXuBgpmdhXrEe7jAuRSvNNSfkv-iyPWQkO88lcmXIk_pRw7tNxZ2dQLhNTWqJ1gQ_c5vxEV-UYg4Dfa_NXYQx06QQtvb82JVlexH72qVqusHenSEpRz6uMksKpo21xohHQN9IBR7l2rn9uYG5J2SUbQ7YofZf7o2_p8n9w0fR7Re6FrzfDB6QMPcZQLRDvyAbPw9K0aXi88cq2F3Eo0jxMk_C1GOZpWupfqr9IxbBYYsAGFTZGcQORCvTfGbauCiarzCzQJjQyGO7sGE-_WHQfV767g_YR_xwYfz4NAgM52QzHlSqZGQYBwqLoTFhQFEkpUJn8xJeyGq9aVL06xwLo4wa8CLb6yZA5Cta5k3o1v6pd8AynI7YcU9Z8YXC5phk3glEBYKcdUiu09GZnB1oziI2s8LcM-M37OPncXTpQnIcSlaDhmxwvvagbnzp582t3sO1ReGwbqNq-Htoj3Hhoct366ALLj-5wpJyqe8XOT7KRgdG0Ejf0ClB2retwhRHmXDUgAA&state=395338a5039babecf0b0e9dc51b33fd7280b298477eda86db3b2aa09618109ab_1&session_state=1afa71b8-bcfd-4a1a-94a6-61e5e9c9b6cb
[2020/09/27 08:06:59][xxxxxxxx][ERROR] params:  {'code' => '0.AAAA60zokv37q0e-UggMa4eVPxb1ESoctMZBki2Xi4NuELERAC8.AQABAAIAAAB2UyzwtQEKR7-rWbgdcBZINaIlTCQQV_3Nr_zUMop7IQLrBPkx0pkqRXevw7wddgqg0uVmRuIn2mrozLKf8GvorTDCYiISXP-goocIHaZeR_Cna4BTxemLVbwGjtwnw1pyHw0WLMCH1AhcYNRtUNVNJZxDVh_GcIzw14pOOF0wU...
[2020/09/27 08:06:59][xxxxx][ERROR] user:    ?
[2020/09/27 08:06:59][xxxxx][ERROR] address: <ip address>
[2020/09/27 08:06:59][xxxxx][ERROR] time:    0.6s
[2020/09/27 08:06:59][xxxxx][ERROR] HASH(0x3bbdd48)
[2020/09/27 08:06:59][xxxxx][ERROR] ***************************

bjornf

unread,
Sep 28, 2020, 1:36:58 AM9/28/20
to Thruk
Having a giving conversation with myself here ;-) Anyway, OAUTH2 works fine now.  The API URL should be be:


For AzureAD.....

Sven Nierlein

unread,
Sep 28, 2020, 2:52:36 AM9/28/20
to th...@googlegroups.com, bjornf
Hi,

great to hear its working now. Let me know if there is anything we can improve in the documenation. Maybe we could
add more examples or a dedicated page to authentication methods.

Cheers,
 Sven
> --
> You received this message because you are subscribed to the Google Groups "Thruk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to thruk+un...@googlegroups.com <mailto:thruk+un...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/53e779b6-cdaa-40f5-8fd9-7af49a382d84n%40googlegroups.com <https://groups.google.com/d/msgid/thruk/53e779b6-cdaa-40f5-8fd9-7af49a382d84n%40googlegroups.com?utm_medium=email&utm_source=footer>.


bjornf

unread,
Oct 16, 2020, 11:29:51 AM10/16/20
to Thruk
Hi,

Related to oauth2. I know you can use API keys for the Thruk API but I suppose those only work towards the API. Am I forced to have service accounts in the IDP to use like the "view_mode=json" from the non API(status.cgi)? I guess it would be nice if the API keys could be used towards there as well. Any other options when OAUTH2 is enabled for scripts that need to fetch info from Thruk? 

Seems a bit easier to know the URL/query for the "normal" Thruk GUI than the API.  You can filter your way in the GUI and copy that URL, e.g.:

Regards, Bjorn

Sven Nierlein

unread,
Oct 16, 2020, 11:37:41 AM10/16/20
to th...@googlegroups.com, bjornf
Hi,

api keys should work on "normal" non api pages as well. Depending on your apache config, it might be a bit tricky.
See an example on how this could look like:
https://github.com/ConSol/omd/blob/labs/packages/thruk/skel/etc/thruk/apache_cookie_auth_sso-support.conf#L6-L7
Basically you need to bypass apache authorization things if there is either a cookie or a authorization header set.
Thruk will check and authorize them later.

Cheers,
 Sven
> To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/30e90993-4282-4e42-8dc7-191a4464b31bn%40googlegroups.com <https://groups.google.com/d/msgid/thruk/30e90993-4282-4e42-8dc7-191a4464b31bn%40googlegroups.com?utm_medium=email&utm_source=footer>.


bjornf

unread,
Oct 17, 2020, 3:47:42 AM10/17/20
to Thruk
Hi,

It appears the authentication is no obvious issue. However, I seem to get no data. No error logging from what I can see either.  The same URL works fine via full browser. 

curl -s -H "X-Thruk-Auth-Key: xxxxxxxxxx" 'https://x.x.x.x/thruk/cgi-bin/status.cgi?format=json'
[
   {
      "data" : [],
      "name" : "hosts",
      "total" : 0,
      "total_none_uniq" : 0
   },
   {
      "data" : [],
      "name" : "hostgroups",
      "total_none_uniq" : 0
   },
   {
      "data" : [],
      "name" : "servicegroups",
      "total_none_uniq" : 0
   },
   {
      "data" : [],
      "name" : "services",
      "total" : 0,
      "total_none_uniq" : 0
   }
]

Sven Nierlein

unread,
Oct 19, 2020, 7:23:55 AM10/19/20
to th...@googlegroups.com, bjornf
Hi,

Might be a permission issue. You can use the rest url: '/thruk/r/thruk/whoami' to find information about which user this key belongs to and which roles come with it.
Also note, that the url status.cgi?format=json is used mainly from the sidebar search and does not contain the full list of objects.

Cheers,
 Sven
> --
> You received this message because you are subscribed to the Google Groups "Thruk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to thruk+un...@googlegroups.com <mailto:thruk+un...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/e08f3c67-c127-4346-9e39-160bc27c037an%40googlegroups.com <https://groups.google.com/d/msgid/thruk/e08f3c67-c127-4346-9e39-160bc27c037an%40googlegroups.com?utm_medium=email&utm_source=footer>.

bjornf

unread,
Oct 20, 2020, 7:34:39 AM10/20/20
to Thruk
Thanks for the hint Sven.  Seems I misunderstood "authorized_for_read_only". Only that permission will not be enough:

authorized_for_read_only

A comma-delimited list of usernames that have read-only rights in the CGIs. This will block any service or host commands normally shown on the extinfo CGI pages. It will also block comments from being shown to read-only users.

Used:
authorized_for_all_host_commands,
authorized_for_all_hosts,
authorized_for_all_service_commands,
authorized_for_all_services,
authorized_for_read_only 

For the API key permissions and then it worked.

Regards, Bjorn

Sven Nierlein

unread,
Oct 20, 2020, 7:43:10 AM10/20/20
to th...@googlegroups.com, bjornf
Hi,

right, authorized_for_read_only does not authorize for anything. Except it will turn everything you are already authorized so far into readonly.
So the listed roles contradict each other. Basically the readonly will remove the all_commands roles. I guess what you want is:

> authorized_for_all_hosts,
> authorized_for_all_services,
> authorized_for_read_only

This will give the api key access to all hosts and services without commands.

Cheers,
Sven


On 20.10.20 13:34, bjornf wrote:
> Thanks for the hint Sven.  Seems I misunderstood "authorized_for_read_only". Only that permission will not be enough:
>
> /*authorized_for_read_only*/
>
> /*A comma-delimited list of usernames that have read-only rights in the CGIs. This will block any service or host commands normally shown on the extinfo CGI pages. It will also block comments from being shown to read-only users.*/
> To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/83c3fb35-476f-4eda-8a55-f483548a790fn%40googlegroups.com <https://groups.google.com/d/msgid/thruk/83c3fb35-476f-4eda-8a55-f483548a790fn%40googlegroups.com?utm_medium=email&utm_source=footer>.

Message has been deleted

bjornf

unread,
Oct 20, 2020, 7:57:08 AM10/20/20
to Thruk
However, started seeing another error all of a sudden. Certificate validation fails for https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token. However, using e.g. curl from Linux OS to that URL gives no certificate errors.

Not sure if this is something related to Thruk version 2.38. Used to have 2.36.

Btw, should not LWP/Protocol/https.pm be used?

[ERROR] SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/lib64/thruk/perl5/LWP/Protocol/http.pm line 50.
[2020/10/20 13:41:29][][ERROR] ',
[2020/10/20 13:41:29][][ERROR]                             '_headers' => bless( {
[2020/10/20 13:41:29][][ERROR]                                                    '::std_case' => {
[2020/10/20 13:41:29][][ERROR]                                                                      'client-date' => 'Client-Date',
[2020/10/20 13:41:29][][ERROR]                                                                      'client-warning' => 'Client-Warning'
[2020/10/20 13:41:29][][ERROR]                                                                    },
[2020/10/20 13:41:29][][ERROR]                                                    'client-date' => 'Tue, 20 Oct 2020 11:41:29 GMT',
[2020/10/20 13:41:29][][ERROR]                                                    'client-warning' => 'Internal response',
[2020/10/20 13:41:29][][ERROR]                                                    'content-type' => 'text/plain'
[2020/10/20 13:41:29][][ERROR]                                                  }, 'HTTP::Headers' ),
[2020/10/20 13:41:29][][ERROR]                             '_msg' => 'Can\'t connect to login.microsoftonline.com:443 (certificate verify failed)',
[2020/10/20 13:41:29][][ERROR]                             '_rc' => 500,
[2020/10/20 13:41:29][][ERROR]                                                    '_headers' => bless( {
[2020/10/20 13:41:29][][ERROR]                                                                           'accept' => 'application/json',
[2020/10/20 13:41:29][][ERROR]                                                                           'content-length' => 1101,
[2020/10/20 13:41:29][][ERROR]                                                                           'content-type' => 'application/x-www-form-urlencoded',
[2020/10/20 13:41:29][][ERROR]                                                                           'user-agent' => 'thruk'
[2020/10/20 13:41:29][][ERROR]                                                                         }, 'HTTP::Headers' ),
[2020/10/20 13:41:29][][ERROR]                                                    '_method' => 'POST',
[2020/10/20 13:41:29][][ERROR]                                                    '_uri' => bless( do{\(my $o = 'https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token')}, 'URI::https' )
[2020/10/20 13:41:29][][ERROR]                                                  }, 'HTTP::Request' )
[2020/10/20 13:41:29][][ERROR]                           }, 'HTTP::Response' )
[2020/10/20 13:41:29][][ERROR]         };

Sven Nierlein

unread,
Oct 20, 2020, 8:00:01 AM10/20/20
to th...@googlegroups.com, bjornf
SSL Options have been changed latetly and i had to fix something again since the 2.38 release.
I possibly, try the nightly. There is "ssl_ca_path" and "ssl_ca_file" now. One of them
should work in any way. If none of them is set and "Mozilla::CA" is installed, it will
use that.


On 20.10.20 13:55, bjornf wrote:
> However, started seeing another error all of a sudden. Certificate validation fails for https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token. However, using e.g. curl from Linux OS to that URL gives no certificate errors. 
>
> Not sure if this is something related to Thruk version 2.38. Used to have 2.36. 
>
> Btw, should not LWP/Protocol/https.pm be used?
>
> [ERROR] SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/lib64/thruk/perl5/LWP/Protocol/http.pm line 50.
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR] ',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                             '_headers' => bless( {
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    '::std_case' => {
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                      'client-date' => 'Client-Date',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                      'client-warning' => 'Client-Warning'
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                    },
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    'client-date' => 'Tue, 20 Oct 2020 11:41:29 GMT',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    'client-warning' => 'Internal response',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    'content-type' => 'text/plain'
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                  }, 'HTTP::Headers' ),
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                             '_msg' => 'Can\'t connect to login.microsoftonline.com:443 (certificate verify failed)',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                             '_rc' => 500,
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    '_headers' => bless( {
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                           'accept' => 'application/json',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                           'content-length' => 1101,
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                           'content-type' => 'application/x-www-form-urlencoded',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                           'user-agent' => 'thruk'
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                                         }, 'HTTP::Headers' ),
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    '_method' => 'POST',
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                    '_uri' => bless( do{\(my $o = 'https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token')}, 'URI::https' )
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                                                  }, 'HTTP::Request' )
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]                           }, 'HTTP::Response' )
> [2020/10/20 13:41:29][sesblx24.mgmt.ericsson.se][ERROR]         };
>
> On Tuesday, October 20, 2020 at 1:34:39 PM UTC+2 bjornf wrote:
>
> Thanks for the hint Sven.  Seems I misunderstood "authorized_for_read_only". Only that permission will not be enough:
>
> /*authorized_for_read_only*/
>
> /*A comma-delimited list of usernames that have read-only rights in the CGIs. This will block any service or host commands normally shown on the extinfo CGI pages. It will also block comments from being shown to read-only users.*/
> To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/36088cc4-2185-4df6-9fef-6c2a1d4c69d6n%40googlegroups.com <https://groups.google.com/d/msgid/thruk/36088cc4-2185-4df6-9fef-6c2a1d4c69d6n%40googlegroups.com?utm_medium=email&utm_source=footer>.

bjornf

unread,
Oct 21, 2020, 2:34:56 AM10/21/20
to Thruk
Hi,

Yes, version 2.39-20201019 works. It appears the perl module Mozilla:CA uses the "OS certificate trust":

In "/usr/share/perl5/vendor_perl/Mozilla/CA.pm":
sub SSL_ca_file {
    return File::Spec->catfile('/etc/pki/tls/certs/ca-bundle.crt');

Bruno Algarvio

unread,
Jun 30, 2023, 9:55:23 AM6/30/23
to Thruk
Hi @bjornf

I have the same issue using AzureAD and I have the same configurations as you but in my case I applied your fix in the api_url parameter but I still get the "cannot get oauth data"..

<auth_oauth>
 <provider 321>

    login         = "Login with AzureAD"
client_id     = <CLIENT_ID>
    client_secret = <CLIENT_SECRET>

    scopes        = openid profile email
    auth_url      = https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize
    token_url     = https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token

    login_field   = email
  </provider>
</auth_oauth>

Is there something that you did more in order to solve this error?

Some help would be appreciated :)


Thanks in advance!

BR,
Bruno

Björn Frostberg

unread,
Jun 30, 2023, 10:16:57 AM6/30/23
to th...@googlegroups.com
Hi,

Sorry, I moved behind Cloudflare(AzureAD integrated) and use HTTP header to get userinfo. Perhaps not super secure but if you make sure apache only listens on localhost with cloudflared it should be OK.

So, don't use Thruk's OAUTH module.

Regards, Bjorn

You received this message because you are subscribed to a topic in the Google Groups "Thruk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/thruk/CTGDXyPBs9I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to thruk+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thruk/fd4d55cc-7ecf-4a1f-98b4-a7581304a8edn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages