Questions about OAuth2 and OIDC

esnyder · March 24, 2022, 1:22pm

Hello again!

This time I am trying to use Corteza to authenticate third-party applications using OAuth2 and OIDC.

I cannot find the Authority URL to use to setup this up. There is no mention of what the path is in the documentation.

My other question is what is the ClientId I should be using? Is that going to be the Handle you enter when creating the Auth Client? It appears this may be the RecordId (unique identifier of the auth client that was created? i can get this from the query string in the url when navigating to the auth client?)

I’ve tried the following paths and none of them return the JSON response I’m expecting
/auth/oauth2/public-keys
/auth/oauth2/info
/auth/oauth2/token
/auth/oauth2/
/auth/

Could you please provide a working example that I could implement in Postman for testing and verification please?

I’d like for my web services to make an HTTP POST request to Corteza and have Corteza send the ID token and authorization code to the web service. This way my web service is authenticated by Corteza and if necessary can run under the context of the current Corteza user.

Thanks so much

tjerman · March 25, 2022, 7:29am

Use /.well-known/openid-configuration; example https://latest.cortezaproject.org/.well-known/openid-configuration

The clientID is the long number in the URL; example (some local auth client I have) 275793286092816386

If you’re planning on authenticating your other services, then I’d suggest you use client credentials grant type which should already provide a cURL example

Important the screenshot above, by accident, omits the “impersonate user” field. It must be provided when client credentials grant type is used.

esnyder · March 25, 2022, 12:55pm

Thank you for the reply. I tried the steps noted above but I am receiving a 500 error code

curl -X POST http://localhost:3000/auth/oauth2/token
-d grant_type=client_credentials
-d scope=‘profile api’
-u 276405990004385003:{secret goes here}

Error: Request failed with status code 500

tjerman · March 25, 2022, 12:57pm

Did you replace the {secret goes here} with the actual secret? It’s located at the top, in the Secret field?
What version are you using?

esnyder · March 25, 2022, 1:09pm

Yes I did put in the secret instead.
I am using the latest version which is *.9.6

tjerman · March 25, 2022, 1:14pm

Strange; let me take a look

esnyder · March 25, 2022, 1:15pm

tjerman · March 25, 2022, 1:15pm

If you set the impersonate user field to some user, does it work?

esnyder · March 25, 2022, 1:20pm

For some reason now I’m unable to get the “Test auth” button to show up to validate?

tjerman · March 25, 2022, 1:22pm

That button shows up when you have your secret visible (click on the eye icon in the secret field).
If that doesn’t fix it try to refresh the page/validate all the configs are as they should be

esnyder · March 25, 2022, 1:24pm

thanks thats right i forgot

esnyder · March 25, 2022, 1:25pm

I was able to get it to work but i had to save it first then retry it.

esnyder · March 25, 2022, 1:30pm

I took the curl from the website that was successful and saved it to a file. I imported that file into postman and ran it. But Postman gives me the following error back

{
"error": "auth client security configuration invalid"

}

I’m not sure if it matters or not but I’m doing all of this from the docker container on my local machine

tjerman · March 25, 2022, 1:51pm

The only time I would get this error during my testing is if I firstly selected authorization_code grant type, saved it, switched to client_credentials and then ran the cURL request without saving it.

Can you make sure you saved the auth client? Can you make a new one and try again? It worked fine on my instance with same version.

esnyder · March 25, 2022, 1:52pm

that is correct, as long as i save it first it works

but now I’m having an issue performing the same thing in Postman outside of Corteza

After I imported the curl command into postman I get

{
“error”: “auth client security configuration invalid”
}

my external client will need to authenticate against Corteza so I’m trying to make sure I can get a successful authentication attempt via Postman first

tjerman · March 25, 2022, 2:00pm

I’d assume Postman didn’t parse these params correctly; can you export the cURL Postman creates here?
I don’t use Postman so I can’t offer much more help then telling you all those -d's and -u's are in there

esnyder · March 25, 2022, 2:04pm

Appreciate the help!
It doesnt look like I can export as curl but here are the screenshots of the configuration in postman
[Edit] It ended up being a stale cookie in postman as soon as I deleted that cookie everything started working! I appreciate the help.

rolf · May 15, 2022, 1:33pm

Just found this discussion. I tried to follow the example. But I fail when submitting the auth client configuration with error:
“Auth client update failed: auth client security configuration invalid.”
When selecting “Will be used to to authenticate users” the configuration will be saved without error.

tjerman · May 16, 2022, 6:50am

What version are you using?
Can you provide the screenshots/curl of the request you’re executing (in the browser network console you can right click on the request and copy as cURL – remove the JWT).

rolf · May 16, 2022, 3:28pm

I’ve now found the cause. The “impersonate user” field was empty. If I enter an user there, I can also submit.
But in your screenshot from March 25, the field was also empty. Mmmmh.
Another question:
How looks the cUrl statement when I want to login an user from an external application with his userid and password? Is “client_credentials” the correct grant type for this case?