DicomWeb is not officially supported in XNAT yet. That support is currently in development, but I don’t know what the timeframe is for releasing it. Early 2022 I hope but the person who was developing that recently retired and we haven’t been able to hire a replacement.
I don’t know how I missed the discussion group post in #2, but, presuming you mean the second error (fixing the first one is, as mentioned in that post, a matter of making sure the properties in the configuration file are in the form ${provider.method}.${provider.id}.propertyName), then I can tell you that your provider is misconfigured somehow, but it’s very hard to say how it’s misconfigured. That error comes from the OpenID resource server, not XNAT or the plugin:
error="access_denied", error_description="Error requesting access token."
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:149)
at au.edu.qcif.xnat.auth.openid.pkce.PkceAuthorizationCodeAccessTokenProvider.obtainAccessToken(PkceAuthorizationCodeAccessTokenProvider.java:58)
…
Caused by: org.springframework.web.client.HttpClientErrorException: 401 null
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:108)
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport$AccessTokenErrorHandler.handleError(OAuth2AccessTokenSupport.java:250)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:709)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:662)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:630)
at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:141)
... 57 more
What you’re seeing there is the underlying Spring Security framework calling the endpoint defined in the property openid.${providerId}.userAuthUri and getting a 401 Unauthorized response. Why? I can’t say because OpenID providers can vary a lot, but the primary suspects would be invalid values for one or more of the following properties:
We don’t have a tool for OpenID similar to the ValidateLdap Groovy script in the LDAP authentication provider plugin, which can use the property settings in your provider properties to try to authenticate and let you test the property values without having to restart XNAT each time. You can try double-checking the following settings:
You can also try something like this or this.
Sorry I can’t be more helpful on this but configuring authentication providers is almost always difficult because of the fact that we don’t have any control over the variations in implementations and requirements for external services. OpenID is even more problematic than, e.g., LDAP because the “standards” vary wildly across versions and are not very explicit and so vary even when different providers supposedly support the same version and type of authentication/authorization.
--
Rick Herrick
XNAT Architect/Developer
Computational Imaging Laboratory
Washington University School of Medicine
From:
xnat_di...@googlegroups.com <xnat_di...@googlegroups.com> on behalf of Nelson Gillo <ngil...@gmail.com>
Date: Friday, December 3, 2021 at 10:02 AM
To: xnat_discussion <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] DicomWeb, OpenID for 1.8.3 and Github vs BitBucket
* External Email - Caution * |
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
xnat_discussi...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/xnat_discussion/00aee0d8-7270-4374-9c86-381bb4a39e72n%40googlegroups.com.
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Oh, I forgot to answer your third question. We have some stuff in github because either we inherited stuff there, e.g. pyxnat was developed outside of our lab and we just forked from that repository, or because a few projects got started there and it was difficult to move them back over to bitbucket.
But, other than pyxnat and the deprecated pipeline engine, just about all of our current development is on bitbucket.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/SN6PR02MB5118D91E3172C7B97415C72FBD6A9%40SN6PR02MB5118.namprd02.prod.outlook.com.