OpenID plugin & XNAT 1.8.3

[Alex]

Hi,

I've been trying to get our development instance of XNAT 1.8.3 to work with the OpenID provider. I use the latest OpenID plugin (openid-auth-plugin-1.1.1-SNAPSHOT-xpl.jar). 

When I configured the plugin according to the instructions (https://australian-imaging-service.github.io/charts/operations/AAF-Integration.html) the plugin was throwing a NullPointerExcepton pointing to OpenIdAuthPlugin.java:228 every time I tried to initiate the OpenID authentication process. Below is the snippet of my configuration file, the exception and other relevant log files.

***********************************

In XNAT Settings:

Enabled Authentication Providers: localdb,openid

***********************************

openid-provider.properties:

# Needs to be 'openid'

auth.method=openid

type=openid

provider.id=openid

visible=true

auto.enabled=false

auto.verified=false

# Name displayed in the UI

name=UOpenID

# Toggle username & password login visibility

disableUsernamePasswordLogin=false

# List of providers that appear on the login page, see options below.

enabled=nu

# Site URL - the main domain, needed to build the pre-established URL below.

siteUrl=https://<url>.edu

preEstablishedRedirUri=/openid-login

# AAF OpenID

openid.nu.clientId=<...>

openid.nu.clientSecret=<...>

openid.nu.accessTokenUri=<...>

openid.nu.userAuthUri=<...>

openid.nu.userInfoUri=<...>

openid.nu.scopes=openid,profile,email

openid.nu.link=<p>To sign-in using your NU credentials, please click on the button below.</p><p><a href="/openid-login?providerId=openid"><img src="/images/btn_google_signin_light_normal_web.png" /></a></p>

***********************************

security.log:

2021-10-11 22:33:35,217 [http-nio-8080-exec-3] WARN  org.nrg.xnat.security.XnatProviderManager - The provider ID openid is enabled, but there is no configured definition for that ID

***********************************

11-Oct-2021 22:36:55.376 SEVERE [http-nio-8080-exec-2] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception

        org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.createRestTemplate' defined in au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.client.OAuth2RestTemplate]: Factory method 'createRestTemplate' threw exception; nested exception is java.lang.NullPointerException

                at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599)

                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1176)

                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1071)

                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511)

                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)

                at org.springframework.beans.factory.support.AbstractBeanFactory$2.getObject(AbstractBeanFactory.java:351)

                at org.springframework.web.context.request.AbstractRequestAttributesScope.get(AbstractRequestAttributesScope.java:44)

                at org.springframework.web.context.request.SessionScope.get(SessionScope.java:93)

                at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:346)

                at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)

                at org.springframework.aop.target.SimpleBeanTargetSource.getTarget(SimpleBeanTargetSource.java:35)

                at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.getTarget(CglibAopProxy.java:704)

                at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:654)

                at org.springframework.security.oauth2.client.OAuth2RestTemplate$$EnhancerBySpringCGLIB$$ffa34058.getAccessToken(<generated>)

                at au.edu.qcif.xnat.auth.openid.OpenIdConnectFilter.attemptAuthentication(OpenIdConnectFilter.java:109)

                at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:64)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)

                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)

                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

                at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:157)

                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

                at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)

                at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

                at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)

                at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)

                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)

                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)

                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)

                at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)

                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)

                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)

                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

                at java.lang.Thread.run(Thread.java:748)

        Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.client.OAuth2RestTemplate]: Factory method 'createRestTemplate' threw exception; nested exception is java.lang.NullPointerException

                at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)

                at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)

                ... 56 more

        Caused by: java.lang.NullPointerException

                at au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin.getProtectedResourceDetails(OpenIdAuthPlugin.java:228)

                at au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin.createRestTemplate(OpenIdAuthPlugin.java:203)

                at au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin$$EnhancerBySpringCGLIB$$f8ee60f1.CGLIB$createRestTemplate$6(<generated>)

                at au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin$$EnhancerBySpringCGLIB$$f8ee60f1$$FastClassBySpringCGLIB$$3209c95.invoke(<generated>)

                at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)

                at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:358)

                at au.edu.qcif.xnat.auth.openid.OpenIdAuthPlugin$$EnhancerBySpringCGLIB$$f8ee60f1.createRestTemplate(<generated>)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                at java.lang.reflect.Method.invoke(Method.java:498)

                at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)

                ... 57 more

***********************************

Looking at the code in OpenIdAuthPlugin.java:228,  it seemed that the plugin cannot properly read openid.<enabledID>.<setting> values. I played around with the openid-provider.properties config file and turned out that if I change the line provider.id from "openid" to (in my case) "nu" and restart the application server - I'm not seeing the exception anymore and the plugin initiates the authentication process. The process took me to the provider for authentication and after successful authentication returned me to the XNAT login page without logging me into XNAT. This time I see a different error in the catalina.out log. Below if the snippet of the plugin configuration file and other relevant information:

***********************************

In XNAT Settings:

Enabled Authentication Providers: localdb,nu

***********************************

openid-provider.properties:

# Needs to be 'openid'

auth.method=openid

type=openid

provider.id=nu

visible=true

auto.enabled=false

auto.verified=false

# Name displayed in the UI

name=UOpenID

# Toggle username & password login visibility

disableUsernamePasswordLogin=false

# List of providers that appear on the login page, see options below.

enabled=nu

# Site URL - the main domain, needed to build the pre-established URL below.

siteUrl=https://<url>.edu

preEstablishedRedirUri=/openid-login

# AAF OpenID

openid.nu.clientId=<...>

openid.nu.clientSecret=<...>

openid.nu.accessTokenUri=<...>

openid.nu.userAuthUri=<...>

openid.nu.userInfoUri=<...>

openid.nu.scopes=openid,profile,email

***********************************

security.log:

2021-10-11 22:02:05,505 [http-nio-8080-exec-9] WARN  org.nrg.xnat.security.XnatProviderManager - The provider ID nu is enabled, but there is no configured definition for that ID

***********************************

catalina.out:

error="access_denied", error_description="Error requesting access token."

        at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:149)

        at au.edu.qcif.xnat.auth.openid.pkce.PkceAuthorizationCodeAccessTokenProvider.obtainAccessToken(PkceAuthorizationCodeAccessTokenProvider.java:58)

        at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:152)

        at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:125)

        at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:239)

        at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:181)

        at org.springframework.security.oauth2.client.OAuth2RestTemplate$$FastClassBySpringCGLIB$$ca6dc720.invoke(<generated>)

        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)

        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:737)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)

        at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)

        at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)

        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:672)

        at org.springframework.security.oauth2.client.OAuth2RestTemplate$$EnhancerBySpringCGLIB$$afede35f.getAccessToken(<generated>)

        at au.edu.qcif.xnat.auth.openid.OpenIdConnectFilter.attemptAuthentication(OpenIdConnectFilter.java:109)

        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:64)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:157)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)

        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)

        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:748)

Caused by: org.springframework.web.client.HttpClientErrorException: 401 null

        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:108)

        at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport$AccessTokenErrorHandler.handleError(OAuth2AccessTokenSupport.java:250)

        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:709)

        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:662)

        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:630)

        at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:141)

        ... 57 more

***********************************

To summarize, when the plugin is configured according to documentation it crashes and if I change the value of the providerID to the name of the enabled provider - the plugin launches, but still fails to log the user into XNAT. I'm looking to see if anyone can share their experience with using OpenID on XNAT 1.8.3  or maybe point out the obvious mistake in my configuration.

Thank you,

Alex 

[Rick Herrick]

Sorry I missed this when you posted it previously, but I replied (not super helpfully, probably!) to this indirectly here.

[Alastair Ferguson]

Hi Alex,

I wrote the AIS article you are referencing. Try this plugin:

https://github.com/Australian-Imaging-Service/xnat-openid-auth-plugin/releases/tag/1.0.2

We had trouble with the upstream plugin (issues lodged) so had to amend it.

[Alex]

Hi Alastair,

I tested all versions of the plugin I could find, including the 1.0.2 version. I see the same error (below) in the log with all versions. The request is going out to the OpenID authority, gets approved and when returned to XNAT I get the login screen again with the message "Your login attempt failed because the username and password combination you provided was invalid..." 

Do you have any suggestions on what could be the problem?

Thank you, 

Alex

error="access_denied", error_description="Error requesting access token."
        at org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken(OAuth2AccessTokenSupport.java:149)

        at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:213)

        at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal(AccessTokenProviderChain.java:152)
        at org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken(AccessTokenProviderChain.java:125)
        at org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken(OAuth2RestTemplate.java:239)
        at org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken(OAuth2RestTemplate.java:181)
        at org.springframework.security.oauth2.client.OAuth2RestTemplate$$FastClassBySpringCGLIB$$ca6dc720.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:737)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
        at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
        at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:672)

        at org.springframework.security.oauth2.client.OAuth2RestTemplate$$EnhancerBySpringCGLIB$$f461befa.getAccessToken(<generated>)
        at au.edu.qcif.xnat.auth.openid.OpenIdConnectFilter.attemptAuthentication(OpenIdConnectFilter.java:101)

[Alastair Ferguson]

Hi Alex,

I can't speak for OpenUID as an authentication provider but one difference I did note was in my working config provider it is definitely set as openid:

provider.id=openid

I also get in the log files:

 [http-nio-8080-exec-9] WARN  org.nrg.xnat.security.XnatProviderManager - The provider ID aaf is enabled, but there is no configured definition for that ID

But it works properly (not sure why).

The other config that made a big difference was this line:

preEstablishedRedirUri=/openid-login

This means that the redirect URL is (whatever your uni is obviously!) https://<url>.edu/openid-login

Don't know what it should be for OPenUID but should definitely confirm.

My suggestion is take it back to basics.

Confirm with your provider that all the details are correct.

In AAF case you can use this site:

https://validator.aaf.edu.au/

Presumably your provider has a similar service.

Try with the provider.id=openid and see how you go.

Good luck.

[Herrick, Rick]

The value for provider.id won’t affect the OpenID functionality at all. That only distinguishes different instances of provider definitions. The important property for distinguishing authentication methods is auth.method, which must be openid for the XNAT OpenID plugin.

 

-- 

Rick Herrick

XNAT Architect/Developer

Computational Imaging Laboratory

Washington University School of Medicine

 

 

From: xnat_di...@googlegroups.com <xnat_di...@googlegroups.com> on behalf of Alastair Ferguson <afer...@arche-type.com.au>
Date: Tuesday, January 25, 2022 at 5:17 PM
To: xnat_discussion <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

* External Email - Caution *

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/711f1d44-f36a-4ace-9150-6370a4d35291n%40googlegroups.com.

 

---

The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

[Alastair Ferguson]

Thanks Rick for clearing that up - makes sense.

Apologies for the incorrect advice.

[Alex]

Hi Alastair,

Appreciate your responses, still testing here. One question I have is: what versions of XNAT and OpenID plugin are you using in the working configuration? I'm testing with XNAT 1.8.3 and OpenID plugin 1.1.1. 

Thank you,

Alex

[Alastair Ferguson]

I have tried with 1.7.6, 1.8.2.2 and 1.8.3 and all of them work, although with 1.8.3 you can't open the AAF user to edit it in the Administer > Users due to a problem with random string creation going over 63 (very long story).

One of the AIS people is on the case.

Plugin that works for me is 1.0.2:

https://github.com/Australian-Imaging-Service/xnat-openid-auth-plugin/releases/tag/1.0.2

Pushed out using AIS Helm chart for Kubernetes.

https://github.com/Australian-Imaging-Service/charts

Thanks!

[Alex]

Hi Alastair,

I have finally resolved the OpenID authentication issue. After much troubleshooting it turned out that the issue was with the authentication server configuration at our institution and not with the plugin. OpenID plugin version 1.0.2 you referred to worked and now I'm able to create OpenID-authenticated accounts, log in and access project data. By the way, I upgraded XNAT to 1.8.4.1 and the OpenID plugin works.

One question I have is: once the account is created should I be able to log in into OpenID accounts remotely, not via the XNAT login page? For example. using XNAT Desktop Assistant I can log in into LDAP-authenticated account, but not into OpenID-authenticated account (using the <providerID>_<OpenID account username> format listed as a username in XNAT, i.e. openid1_john). Another use case could be authentication via REST API. I'd be interested to know if you encountered these use cases in relation to OpenID authentication.

I appreciate your help with figuring out the correct plugin version to use.

Thank you,

Alex

[Kate Alpert]

Hi, Alex,

You might check out https://groups.google.com/g/xnat_discussion/c/tdtXZZmfPDM for some provider-specific login options.

Kate

[Alastair Ferguson]

Hi Alex,

Glad you got it sorted. Apparently the upstream is working on a new release for the OpenID plugin that will fix a bunch of issues so look out for that.

Yes, seems to be an issue unfortunately. Kate would definitely know more about it than I do.

[Rick Herrick]

Hey Alex et al,

The way that XNAT handles basic authentication with standard username/password providers (i.e. XNAT's localdb and LDAP authentication) is to prefix the username with the provider ID, separated by a slash. This doesn't work with OpenID/OAuth2, because XNAT never handles the username and password. Instead the user authenticates with the provider directly and, once successfully authenticated, redirects the user back to XNAT, passing an access token along with it. XNAT extracts the user identity from the token, creates a new session, and throws the token away. I think adding OAuth2 authentication support is as "simple" as getting the authentication header, checking if it contains a bearer token, then validating that token with the authentication provider. That part seems relatively straightforward, but we then need to work out how to get that token to the user for use in future operations.

So the basic answer to your question is, no, XNAT can not, at this point, authenticate the user directly through OpenID. I created ticket XNAT-7057 for this in our Jira, so you can watch that issue if you'd like to monitor development progress (the fix version says 1.8.5 but take that with a grain of salt: I'd like to get it done asap and if it only requires changes to the plugin it could happen more quickly, but it really depends on what kinds of resources we can throw at it).

[Kate Alpert]

Doh! Of course. One workaround for now would be to login to the account in XNAT and get an alias token & secret to use for your CLI/XDC needs. These are expiring credentials, so you'll just want to be mindful of that.

[Alex Kogan]

Hi Kate, Rick,

Thank you for adding this feature to the to do list, it would help a lot when this feature is implemented. Good to know about the possible workaround as well.

Thank you,

Alex

 

[Matteo Riva]

Hello everyone,

Sorry, I know this discussion is old and closed, but I write here my issue, hoping to find some help. 

What I am trying to do is to create an OpenID Connect between Keycloak and XNAT (1.8.5), installed in a VM (Ubuntu 20.04, JAVA 8, Tomcat9). Following the kind suggestion that Rick gave to me in another discussion, I downloaded the plugin for openid. Here is my openid-provider.properties file in /src/main/resources folder:

auth.method=openid
type=openid
provider.id=openid
visible=true
auto.enabled=true
auto.verified=true
name=OpenID Authentication Provider
disableUsernamePasswordLogin=false
enabled=redcap-keycloak-client
siteUrl=http://localhost:8080/auth/realms/redcap-keycloak
preEstablishedRedirUri=/openid-login

openid.redcap-keycloak-client.clientId=redcap-keycloak-client
openid.redcap-keycloak-client.clientSecret=***************************
openid.redcap-keycloak-client.accessTokenUri=http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/token
openid.redcap-keycloak-client.userAuthUri= http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/auth
openid.redcap-keycloak-client.userInfoUri= http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/userinfo
openid.redcap-keycloak-client.pkceEnabled=true
openid.redcap-keycloak-client.scopes=openid,profile,email
openid.redcap-keycloak-client.link=<span>login</span>
openid.redcap-keycloak-client.shouldFilterEmailDomains=false
openid.redcap-keycloak-client.forceUserCreate=false
openid.redcap-keycloak-client.userAutoEnabled=true
openid.redcap-keycloak-client.userAutoVerified=true
openid.redcap-keycloak-client.emailProperty=email
openid.redcap-keycloak-client.givenNameProperty=given_name
openid.redcap-keycloak-client.familyNameProperty=family_name

With tomcat9 stopped, I use this command ./gradlew jar. I obtain the openid-auth-plugin-1.2.0-SNAPSHOT.jar file, I copy this file in /data/xnat/home/plugins/ folder and I restart the tomcat9. Tomcat9 is running, but when I try to search for the XNAT page, it gives me this 404 error:

If I delete the jar file from the /data/xnat/home/plugins/ folder, XNAT comes back to normal and I can see it again. I searched for some error in catalina.out file or in logs files, but everything is fine!

Please, can someone help me? I do not understand if it is an error in plugin settings or in XNAT settings. 

Thank you so much in advance!

Matteo

[Matteo Riva]

UPDATE: Since the OpenID Endpoint Configuration in Keycloak has:

"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],

"claim_types_supported":["normal"],

"claims_parameter_supported":true,

"scopes_supported":["openid","profile","offline_access","address","email","phone","roles","microprofile-jwt","web-origins"]

I tried to modify the openid.redcap-keycloak-client.scopes parameter in the openid-provider.properties file with the elements present in the array "scopes_supported" , but nothing has changed.

[Matteo Riva]

Hello everyone,

UPDATE 2: I read and read again this discussion and I tried to download the plugin Alastair suggested and finally XNAT does not show the 404 error! The jar file is in the right folder and the plugin is installed, but how can I change the default login mode with the OpenID or have both of them? Setting the field Enabled Authentication Providers in XNAT Site Administration --> Security with "localdb,keycloak" or "localdb,openid" does not change anything. Here is my new openid-provider.properties file (there is ONLY this file in the folder /src/main/resources):

auth.method=openid
type=openid
provider.id=openid
visible=true
auto.enabled=true
auto.verified=true
name=OpenID Authentication Provider
disableUsernamePasswordLogin=false

enabled=xnat-keycloak-client
siteUrl=http://localhost:8080/app/template/
preEstablishedRedirUri=/openid-login

openid.xnat-keycloak-client.clientId=xnat-keycloak-client
openid.xnat-keycloak-client.clientSecret=**************************************
openid.xnat-keycloak-client.accessTokenUri=http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/token
openid.xnat-keycloak-client.userAuthUri=http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/auth
openid.xnat-keycloak-client.userInfoUri=http://localhost:8080/auth/realms/name-of-the-realm/protocol/openid-connect/userinfo
openid.xnat-keycloak-client.pkceEnabled=true
openid.xnat-keycloak-client.scopes=openid,profile,offline_access,address,email,phone,roles,microprofile-jwt,web-origins
openid.xnat-keycloak-client.link=<span>login</span>
openid.xnat-keycloak-client.shouldFilterEmailDomains=false
openid.xnat-keycloak-client.forceUserCreate=false
openid.xnat-keycloak-client.userAutoEnabled=true
openid.xnat-keycloak-client.userAutoVerified=true
openid.xnat-keycloak-client.emailProperty=email
openid.xnat-keycloak-client.givenNameProperty=given_name
openid.xnat-keycloak-client.familyNameProperty=family_name

I might add my Keycloak principal settings too:

-  Valid Redirect URIs: http://localhost:8080/app/template/ (which is my XNAT login site)

- Client ID = xnat-keycloak-client

Sorry for being a bit spamming, but I would like to update anyone who wants to help and to avoid every waste of time.

Thank you again.

Matteo

[Matteo Riva]

Hello everyone,

UPDATE 3: I finally succeeded in creating a connection between Keycloak and XNAT using the plugin that Alastair suggested. The problems now are two:

1. I do not know why, but Keycloak does a sign-in, not a login. So when I try to login with Keycloak it turns back to the initial login xnat page. Then in order to login I have to enter the keycloak credentials. How can I do a login instead of a sign-in?

2. When I do a sign-in with Keycloak it creates a new user in xnat. Good! But this new user has administrator priviliges (bad...).

How can I fix these problems? Someone had the same issue? Someone can help me? Please...

Thank you so much again.

Matteo

[Rick Herrick]

Re: 1, I’m unclear on what you mean here. Could you describe what you’re doing during the authentication process step by step? Screen caps or a video might help as well.

Re: 2, that would certainly be bad, but looking at the code I don’t see any way that can happen. I’m not saying it’s not happening to you, just that I have no idea how that could be occurring.

What version of the plugin are you using and where did you download it from?

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Matteo Riva" <mat.ri...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 9/22/2022 8:59:53 AM

Subject Re: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/cf601ab5-17b6-47fe-a991-8a280831dd0cn%40googlegroups.com.

[Matteo Riva]

Hello Rick,

Thank you so so much for your reply!!

1. Yes, sure I will do my best to explain and show it step by step:

STEP 1

my *-provider.properties file is inside folder /data/xnat/home/config/auth

STEP 2

I click on that sort of image (I would like to change it with a Keycloak logo, but, even if I have a keycloak image (keycloak.png) in /images/ folder, I do not know how to do it --> <img src="/images/keycloak.png" /> does not do anything)

STEP 3

I click on Register.

STEP 4

I insert here my credentials

STEP 5

A new user has been created in Keycloak

STEP 6

mriva does exist in Xnat, but with administrator priviligies!

STEP 7

Now Xnat shows a new problem: 

If I try to redo STEP1,2,3,4,5 and 6, the user is not created in Xnat anymore (even if in Keycloak is created and present)!

2. Here is the code of my .properties file:

auth.method=openid
type=openid
provider.id=openid
visible=true
auto.enabled=true
auto.verified=true
name=OpenID Authentication Provider
disableUsernamePasswordLogin=false
enabled=redcap-keycloak-client

siteUrl=http://localhost:8080/app/template/Index.vm
preEstablishedRedirUri=/openid-login

openid.redcap-keycloak-client.clientId=redcap-keycloak-client
openid.redcap-keycloak-client.clientSecret=***********************************************
openid.redcap-keycloak-client.accessTokenUri=http://localhost:8080/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/token
openid.redcap-keycloak-client.userAuthUri=http://localhost:8080/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/auth
openid.redcap-keycloak-client.userInfoUri=http://localhost:8080/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/userinfo
openid.redcap-keycloak-client.pkceEnabled=true
openid.redcap-keycloak-client.scopes=openid,profile,offline_access,address,email,phone,roles,microprofile-jwt,web-origins
openid.redcap-keycloak-client.link=<p>To sign-in using your Keycloak credentials, please click on the button below.</p><p><a href="/openid-login?providerId=redcap-keycloak-client"><img src="/images/keycloak.png" /></a></p>

openid.redcap-keycloak-client.shouldFilterEmailDomains=false
openid.redcap-keycloak-client.forceUserCreate=false
openid.redcap-keycloak-client.userAutoEnabled=true
openid.redcap-keycloak-client.userAutoVerified=true
openid.redcap-keycloak-client.emailProperty=email
openid.redcap-keycloak-client.givenNameProperty=given_name
openid.redcap-keycloak-client.familyNameProperty=family_name

I have already tried to change "forceUserCreate" to true and "userAutoEnabled" and "userAutoVerified" to false, but nothing changes at all!

Here are my Keycloak settings:

3. I am using a VM with Ubuntu 20.04, Tomcat9, Postgresql 10 and XNAT 1.8.5. The plugin I am using is this one:

https://github.com/Australian-Imaging-Service/xnat-openid-auth-plugin/releases/tag/1.0.2

I am using this jar file because when I tried to create a jar file (./gradlew fatJar or ./gradlew jar) with this plugin:

https://github.com/NrgXnat/xnat-openid-auth-plugin

I got a 404 error:

4. Here are my Xnat settings:

I know, this is a very long mail, but I really hope this is helpful to let you understand my issue!

Thank you so much Rick! I can't wait for your reply.

Matteo

[Matteo Riva]

CORRECTION POINT 1.:

Once steps 4 and 5 are done, I receive from Keycloak a mail to verify my account:

If I click the link, it drives me back to the Xnat login page:

and I must enter again the Keycloak credentials to login in Xnat! In summary, it is simply doing a sign-in and not a sign-in+login. This does not happen with another database (REDCap) where Keycloak does the login too!

Sorry everyone, I forgot to add this part too.

Thank you again.

Matteo

[Matteo Riva]

UPDATE 4: The reason of the above problems is that Keycloak is NOT talking with XNAT at all! I made a lot of tries all day long and the reason why Keycloak drives me back to the login page of xnat is that Keycloak is doing nothing to XNAT. In summary, the plugin (when I click the "Keycloak button" in the XNAT login page) gives the link to the login page of Keycloak, but nothing more. 

The question now is that: then why you said Keycloak created an admin user in XNAT (POINT 1., STEP 6)? I am so sorry, maybe I am mistaking, but I am pretty sure that when I did the first try to see if Keycloak and XNAT were talking each other, a new user (mriva) appeared  with admin priviligies. 

Honestly, now I do not know what should I do now to fix all this caos...

Matteo

[Alex]

Hi Matteo,

I managed to get the OpenID plugin working on our development instance. I have no experience configuring the authorization server, but the team that worked on that had to go through a number of configuration changes to work properly with the OpenID plugin.

There are a few things that I noticed looking at your configuration file that are different from what worked in my case.

Try setting the following:

1. provider.id=redcap-keycloak-client      # this is the provider id that is enabled by the "enabled=..." setting

2.  siteUrl=http://localhost:8080   # this url is used to build the redirect url, so it has to match the redirect url in the authentication server.

3.  openid.redcap-keycloak-client.pkceEnabled=false

Hope that helps.

Alex

[Matteo Riva]

Hello Alex,

I thank you so much!!

Yes, I will try to change those parameters tomorrow and see what happens! I will write for updates :)

Moreover, one thing I thought during the weekend: I had a similar problem with Keycloak when I had to link it to REDCap. This problem was that Keycloak presents the users as "preferred_username" and not as "username". So I had to change it in mysql for REDCap. Then it worked.

Could it be the same for Xnat? Should I change "username" (if Xnat calls the users like this) to "preferred_username" in Postgresql for Xnat too? If yes, how can I change it?

Please, please let me know! This could be the solution to the problem!

Thank you again.

Matteo

You received this message because you are subscribed to a topic in the Google Groups "xnat_discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/xnat_discussion/WdTSFMEbEUs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/b07a911f-96d9-4231-a93b-3598fda4fd8dn%40googlegroups.com.

[Matteo Riva]

Hello Alex,

It works! After the changes you suggested, I can finally login in Xnat with the credentials of Keycloak! Thank you so much Alex!

Nevertheless, if I login as admin in order to see if there the new user in Xnat, there isn't the new user in "Users" page. The new user is created in Keycloak and I can login through Keycloak in Xnat, so it works, but the new user is not created in Xnat!

Is it normal? If not, how should I fix it? Thank you again!

Let me know please!

Matteo

[Alex]

Hi Matteo,

Good to hear that the plugin is working for you. On my system, once the user is authenticated via OpenID for the first time, a localdb user is created. The following directive forces XNAT to create a user and it is set to false in your config file:

openid.providerid.forceUserCreate=true

The username pattern for these users is defined in the following configuration file directive:

openid.providerid.usernamePattern=[providerId]-[sub]

Hopefully this will fix the the user creation issue.

Thanks,

Alex

[Matteo Riva]

Hello Alex,

Thank you again for your help and your kindness!

Now it works properly! Just one last thing: when Keycloak creates a new user in xnat, the username is the ID present in Keycloak (e.g: instead of mriva as username, it creates a user with 12345abcd-keycloak-redcap-xnat username). Should I fix it with the username pattern you said in your last reply? 

I hope this will be my last question. Then I think I am finally done with these issues :) 

Again, thank you so much Alex!

Matteo

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/935787d7-3850-4cfa-976c-d807bae788fen%40googlegroups.com.

[Alex]

Hi Matteo,

I think that if you don't specify the usernamePattern directive, the plugin is going to create a username based on the default pattern [providerId]_[sub]. I haven't tried different patterns since I was fine with the default. My suggestion is to experiment to see what pattern works for you. Maybe somone else in this group has suggestions based on their experience, I didn't find much documentation on this topic.

Alex

[Matteo Riva]

Hello Alex,

I tried to copy the line in the *provider.properties and I tried everything:

openid.redcap-keycloak-client.usernamePattern=[username]

openid.redcap-keycloak-client.usernamePattern=[preferred_username]

openid.redcap-keycloak-client.usernamePattern=[sub]

openid.redcap-keycloak-client.usernamePattern=username

openid.redcap-keycloak-client.usernamePattern=preferred_username

But nothing has changed :( It keeps on creating new users with [providerId]-[sub]!

Matteo

[Matteo Riva]

Hello everyone,

I know that this is a old topic, but I wanted to let you know that I tried to change the line into:

openid.redcap-keycloak-client.usernamePattern=[Username]

(Upper case U instead of u)

But nothing has change unfortunately :( It keeps on creating new users with [providerId]-[sub]! 

Someone had any idea?

Thank you so much for any help!

Matteo

[Matteo Riva]

Please, anyone here could help me? I am really stuck on this problem since a lot of days and I do not know how to fix it!
Thank you in advance.

Matteo

[Rick Herrick]

Hi Matteo,

There are two issues happening here, I think.

The first is that I’m guessing you’re not restarting XNAT after changing the usernamePattern setting? Changes to those configurations require a restart to take affect, which would explain why it’s continuing to prefix the provider ID to the usernames.

The second is that Username is probably not one of the user attributes returned by Keycloak’s OpenID implementation. These attributes can be configured within Keycloak (search for principal-attribute), so it’s hard to say what is being returned without knowing the configuration, but basically the value specified in square brackets must map to the name of a field in the plugin’s OpenIdConnectUserDetails class (and when creating a new user, the only field that has a value is providerId) or in the user attributes returned from the OpenID authentication call.

Note too that these attributes may not include the username from the authentication server (this is part of how OpenID maintains security and separation between server and clients): you can’t assume something that might seem obvious is coming back in the user attributes. For example, here are the attributes returned by Google when integrated with the XNAT OpenID plugin:

• at_hash
• aud
• azp
• email
• family_name
• given_name
• hd
• iss
• locale
• name
• picture
• sub

This means I could create a username pattern like [at_hash]-[aud]-[family_name]-[given_name]. The tokens in this pattern are case sensitive, so Email won’t map to email.

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Matteo Riva" <mat.ri...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 10/21/2022 4:05:10 AM

Subject Re: Re[2]: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

Please, anyone here could help me? I am really stuck on this problem since a lot of days and I do not know how to fix it!
Thank you in advance.

Matteo

Il giorno giovedì 13 ottobre 2022 alle 12:26:02 UTC+2 Matteo Riva ha scritto:

Hello everyone,

I know that this is a old topic, but I wanted to let you know that I tried to change the line into:

openid.redcap-keycloak-client.usernamePattern=[Username]

(Upper case U instead of u)

But nothing has change unfortunately 🙁 It keeps on creating new users with [providerId]-[sub]! 

Someone had any idea?

Thank you so much for any help!

Matteo

Il giorno mercoledì 28 settembre 2022 alle 13:15:56 UTC+2 Matteo Riva ha scritto:

Hello Alex,

I tried to copy the line in the *provider.properties and I tried everything:

openid.redcap-keycloak-client.usernamePattern=[username]

openid.redcap-keycloak-client.usernamePattern=[preferred_username]

openid.redcap-keycloak-client.usernamePattern=[sub]

openid.redcap-keycloak-client.usernamePattern=username

openid.redcap-keycloak-client.usernamePattern=preferred_username

But nothing has changed 🙁 It keeps on creating new users with [providerId]-[sub]!

Matteo

Il giorno martedì 27 settembre 2022 alle 20:19:41 UTC+2 Alex ha scritto:

Hi Matteo,

I think that if you don't specify the usernamePattern directive, the plugin is going to create a username based on the default pattern [providerId]_[sub]. I haven't tried different patterns since I was fine with the default. My suggestion is to experiment to see what pattern works for you. Maybe somone else in this group has suggestions based on their experience, I didn't find much documentation on this topic.

Alex

On Monday, September 26, 2022 at 3:58:40 PM UTC-4 Matteo Riva wrote:

Hello Alex,

Thank you again for your help and your kindness!

Now it works properly! Just one last thing: when Keycloak creates a new user in xnat, the username is the ID present in Keycloak (e.g: instead of mriva as username, it creates a user with 12345abcd-keycloak-redcap-xnat username). Should I fix it with the username pattern you said in your last reply? 

I hope this will be my last question. Then I think I am finally done with these issues 😀 

Again, thank you so much Alex!

Matteo

Il lun 26 set 2022, 20:21 Alex <ski...@gmail.com> ha scritto:

Hi Matteo,

Good to hear that the plugin is working for you. On my system, once the user is authenticated via OpenID for the first time, a localdb user is created. The following directive forces XNAT to create a user and it is set to false in your config file:

openid.providerid.forceUserCreate=true

The username pattern for these users is defined in the following configuration file directive:

openid.providerid.usernamePattern=[providerId]-[sub]

Hopefully this will fix the the user creation issue.

Thanks,

Alex

On Monday, September 26, 2022 at 2:57:58 AM UTC-4 Matteo Riva wrote:

Hello Alex,

It works! After the changes you suggested, I can finally login in Xnat with the credentials of Keycloak! Thank you so much Alex!

Nevertheless, if I login as admin in order to see if there the new user in Xnat, there isn't the new user in "Users" page. The new user is created in Keycloak and I can login through Keycloak in Xnat, so it works, but the new user is not created in Xnat!

Is it normal? If not, how should I fix it? Thank you again!

Let me know please!

Matteo

Il giorno domenica 25 settembre 2022 alle 22:42:16 UTC+2 Matteo Riva ha scritto:

Hello Alex,

I thank you so much!!

Yes, I will try to change those parameters tomorrow and see what happens! I will write for updates 😀

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/d86ea842-58e1-4002-9e80-11efd465d4d2n%40googlegroups.com.

[Matteo Riva]

Hello Rick,

Thank you so much for your reply, really appreciated!

Here is what my OpenID Connection Configuration gives in return:

"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],

"claim_types_supported":["normal"],

"claims_parameter_supported":true,"scopes_supported":["openid","profile","offline_access","address","email","phone","roles","microprofile-jwt","web-origins"]

The fact is that: in the OpenID with REDCap, Keycloak uses "preferred_username" as "username". While for XNAT, I do not know what I should use (as I said in my previous message, I have already tried "preferred_username", but nothing has changed at all!).

What do you suggest, please?

Matteo

[Rick Herrick]

If your provider returns username rather than preferred_username then the only suggestion I can come up with is username (not capitalized).

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Matteo Riva" <mat.ri...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 10/24/2022 3:18:01 AM

Subject Re: Re[4]: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/fadcb287-405f-41d1-b5ea-04a7cc2047b1n%40googlegroups.com.

[Matteo Riva]

Hello Rick,

Thank you again for your reply.

Now there is username, but unfortunately nothing is changing :( Maybe I should change the identification from username to preferred_username in PostgreSQL (since preferred_username is returned by Keycloak). For example, in REDCap I do this (MariaDB):

UPDATE `redcap`.`redcap_config` SET `value` = 'preferred_username' WHERE (`field_name` = 'openid_connect_username_attribute');

Do you know how to do it in PostgreSQL? Could it be a solution?

Thank you!

Matteo

[Matteo Riva]

Hello,

I was searching for something in PostgreSQL in order to identify how the users are created in PostgreSQL. 

Here is what I found using " psql -c "SELECT * FROM xdat_user"

                            login                            | firstname | lastname |             email             |                         primary_password                         | primary_password_encrypt | quarantine_path | enabled | verified |                               salt                               | user_info | xdat_user_id | users_user_xdat_security_xdat_security_id

The strange username (for example, redcap-keycloak-client_9d981443-db6c-4d14-aa16-2bd43227ef34) is under the column "login". I tried to change the column name from "login" to "preferred_username". And...what happened was that a new column was created at the end of the table called again "login" and XNAT was completely broken (it could not even show me the login page)! I tried to change the new "login" column, to delete it, to delete the "preferred_username" column, but everything was useless: XNAT was broken!

I had to do a restore of my VM to return to the original situation and now XNAT works again.

Anyone had a suggestion, please?

Thank you!

Matteo

[Rick Herrick]

My suggestion would be to avoid renaming database columns :) The reason your XNAT was broken was because XNAT looks for the login column to find users’ login names. The names of columns aren’t a configuration option, they’re where XNAT goes to find configuration options. If the columns are renamed it can’t find the info it needs to work properly. XNAT recognized that the table structure didn’t match what it expected and tried to recover by adding the login column back to the table, but then that would fail because each row must have a unique value for that column but they’re all set to the same value (null) so everything would explode at that point.

The “strange” username is a username created from the previous pattern of [providerId]-[sub]. The reason that pattern is used is not because it ends up generating attractive usernames but because it generates unique usernames. sub is short for subject identifier, i.e. the unique ID for that user account on a particular provider. That means the combination of providerId–which identifies the specific provider, in this case redcap-keycloak-client–and sub–in this case some long gnarly UUID thing–will be a username that won’t collide with anyone else.

I think the important thing is that, if you’re using your OAuth2/OpenID source for authentication, then don’t worry too much about what the generated username (i.e. the value that gets put into the login column) is: people don’t use that to log in so it’s not important that they know what it is. If the issue is having the “strange” username appear in the title bar after someone logs in, well good news! The latest 1.8.6 release has a fix for that specific issue so that the user’s first and last names show up there instead of some meaningless string.

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Matteo Riva" <mat.ri...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 10/25/2022 8:25:41 AM

Subject Re: Re[6]: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

Hello,

I was searching for something in PostgreSQL in order to identify how the users are created in PostgreSQL. 

Here is what I found using " psql -c "SELECT * FROM xdat_user"

                            login                            | firstname | lastname |             email             |                         primary_password                         | primary_password_encrypt | quarantine_path | enabled | verified |                               salt                               | user_info | xdat_user_id | users_user_xdat_security_xdat_security_id

The strange username (for example, redcap-keycloak-client_9d981443-db6c-4d14-aa16-2bd43227ef34) is under the column "login". I tried to change the column name from "login" to "preferred_username". And...what happened was that a new column was created at the end of the table called again "login" and XNAT was completely broken (it could not even show me the login page)! I tried to change the new "login" column, to delete it, to delete the "preferred_username" column, but everything was useless: XNAT was broken!

I had to do a restore of my VM to return to the original situation and now XNAT works again.

Anyone had a suggestion, please?

Thank you!

Matteo

Il giorno martedì 25 ottobre 2022 alle 09:12:09 UTC+2 Matteo Riva ha scritto:

Hello Rick,

Thank you again for your reply.

Now there is username, but unfortunately nothing is changing 🙁 Maybe I should change the identification from username to preferred_username in PostgreSQL (since preferred_username is returned by Keycloak). For example, in REDCap I do this (MariaDB):

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/b26e27d8-d2bf-4039-8919-eeab187c5f0en%40googlegroups.com.

[Matteo Riva]

Hello Rick,

Thank you so much for your reply and your help.

Okay, I will never modify database columns again :D 

The problem is this: if I go to Administer --> Users, instead of a normal username, I see that "strange" one.

In summary, I would like to see a "normal" username (for example, username), present in Keycloak, instead of that long string (redcap-keycloak-client_9d981443-db6c-4d14-aa16-2bd43227ef34).

But, as you suggested, maybe it is better to not care about it. After  all, if I try to login with the OpenID, I still enter in XNAT normally and the first and the last names are correctly shown up:

Thank you also for telling me the good new! I am sure it can be so useful :)

Cheers,

Matteo

[Rick Herrick]

Yeah, I’m not saying the usernames generated are attractive, but they are unique and that’s the most important thing!

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Matteo Riva" <mat.ri...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 10/26/2022 2:30:35 AM

Subject Re: Re[8]: [XNAT Discussion] Re: OpenID plugin & XNAT 1.8.3

Hello Rick,

Thank you so much for your reply and your help.

Okay, I will never modify database columns again 😁 

The problem is this: if I go to Administer --> Users, instead of a normal username, I see that "strange" one.

In summary, I would like to see a "normal" username (for example, username), present in Keycloak, instead of that long string (redcap-keycloak-client_9d981443-db6c-4d14-aa16-2bd43227ef34).

But, as you suggested, maybe it is better to not care about it. After  all, if I try to login with the OpenID, I still enter in XNAT normally and the first and the last names are correctly shown up:

Thank you also for telling me the good new! I am sure it can be so useful 😀

Cheers,

Matteo

Il giorno mercoledì 26 ottobre 2022 alle 00:58:33 UTC+2 Rick Herrick ha scritto:

My suggestion would be to avoid renaming database columns 😀 The reason your XNAT was broken was because XNAT looks for the login column to find users’ login names. The names of columns aren’t a configuration option, they’re where XNAT goes to find configuration options. If the columns are renamed it can’t find the info it needs to work properly. XNAT recognized that the table structure didn’t match what it expected and tried to recover by adding the login column back to the table, but then that would fail because each row must have a unique value for that column but they’re all set to the same value (null) so everything would explode at that point.

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/d2c3422c-1449-49cb-8a3b-1ee17b964755n%40googlegroups.com.

[Matteo Riva]

Hello everyone, 

Sorry, I know, I am still here.

Please, can you help me? I have a pretty strange riddle here again.

I am using Keycloak for OpenID. What I am trying to do is to create a new user in XNAT. Here I show you what I am doing:

PATHWAY 1 - WORKING!

I click the "Keycloak" button...

And then, if I try to login (WITHOUT CLICKING THE XNAT BUTTON!) --> IT DOES WORK!

PATHWAY 2 - NOT WORKING!

If I try to click on the REDCap button, IT DOES NOT WORK anymore!

What I noticed is that the Nonce and the State parameters in the two links (if I click the button, it creates a new link) are different! Could it be the problem? If yes, how could I fix it, please?

Thank you so much in advance!

Cheers,

Matteo

[Matteo Riva]

ERRATA CORRIGE:

PATHWAY 2 - NOT WORKING!

If I try to click on the XNAT button, IT DOES NOT WORK anymore!

What I noticed is that the Nonce and the State parameters in the two links (if I click the button, it creates a new link) are different! Could it be the problem? If yes, how could I fix it, please?

Thank you so much in advance!

Cheers,

Matteo

[Matteo Riva]

Hello everyone,

UPDATE 1:

I succeeded in fixing the problem with the two buttons in Keycloak login page! (in summary, I was writing wrong URLs in keycloak .ftl file)

But now I have a new riddle....

I am trying to create a new Client in Keycloak and istead of using redcap-keycloak-client, I will call the new one as xnat-keycloak-client.

The fact is that when i try to change the parameters in *-provider.properties, it does not work anymore! (what I am changing is just: provider.id=xnat-keycloak-client, enabled=xnat-keycloak-client, openid.redcap-keycloak-client.clientId=xnat-keycloak-client and the openid.redcap-keycloak-client.clientSecret for the new Client)

Instead of showing me this:

It shows me this:

Why? I think I am not doing anything wrong! (If I restore the old parameters, it works!)

Can you help me please? I hope it is a simple task!

Thank you again,

Matteo

[Matteo Riva]

UPDATE 2:

I wanted to add that I always restart the tomcat. The jar file instead is always the same.

Sorry for the little spam.

Thank you again!

Cheers,

Matteo

[Matteo Riva]

UPDATE 3:

I succeeded in fixing this problem too. The solution is really simple: I had to change not only the values of the parameters that I wrote before, but also the name of the parameters itself (e.g: every "redcap-keycloak" should be changed to "xnat-keycloak" in the *-provider.properties file).

Thank you in any case.

Cheers,

Matteo