Skip to content

Comments

Sso token login#2

Open
jenshp wants to merge 3 commits intomoqui:masterfrom
Moitcl:ssoTokenLogin
Open

Sso token login#2
jenshp wants to merge 3 commits intomoqui:masterfrom
Moitcl:ssoTokenLogin

Conversation

@jenshp
Copy link
Member

@jenshp jenshp commented Jul 15, 2024

Add capability to log into the system by using a login_token issued by a known identity provider (like Keycloak or another OpenId capable system), fetching user data from identity provider as specified by the registered mappings. Requires changes in Framework (moqui/moqui-framework#638).

@acetousk
Copy link
Member

Hey Jen,

I'm trying out your PR, and I'm getting a weird error.

To reproduce:

git clone git@github.com:moitcl/moqui-framework moitcl
cd moitcl
git checkout ssoTokenLogin
gradle getRu
gradle dOS
cd runtime/component
git clone git@github.com:moitcl/moqui-sso
cd moqui-sso
git checkout ssoTokenLogin
cd ../../..
gradle build
java -jar moqui.war 

In a new terminal

curl --request GET \
  --url http://localhost:8080/elastic \
  --header 'Accept: application/json' \
  --header 'sso_access_token: test' \
  --header 'sso_auth_flow: test'

Error:

java.lang.NullPointerException: Cannot get property 'request' on null object
	at org.codehaus.groovy.runtime.NullObject.getProperty(NullObject.java:60) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.codehaus.groovy.runtime.InvokerHelper.getProperty(InvokerHelper.java:190) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.codehaus.groovy.runtime.callsite.NullCallSite.getProperty(NullCallSite.java:46) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:329) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.moqui.sso.AuthenticationFlow.handleSwtLogin(AuthenticationFlow.groovy:159) ~[?:?]
	at org.moqui.sso.AuthenticationFlow$handleSwtLogin.call(Unknown Source) ~[?:?]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:157) ~[moqui_temp5021397272041375576WEB-INF_lib_groovy-3.0.19.jar.:3.0.19]
	at org.moqui.sso.MoquiSsoToolFactory$SsoTokenLoginHandler.handleSsoLoginToken(MoquiSsoToolFactory.groovy:40) ~[?:?]
	at org.moqui.impl.context.UserFacadeImpl.loginSsoToken(UserFacadeImpl.groovy:820) ~[moqui_temp14531228715189972516WEB-INF_lib_moqui-framework-3.1.0-rc2.jar.:3.1.0-rc2]
	at org.moqui.impl.context.UserFacadeImpl.initFromHttpRequest(UserFacadeImpl.groovy:182) ~[moqui_temp14531228715189972516WEB-INF_lib_moqui-framework-3.1.0-rc2.jar.:3.1.0-rc2]
	at org.moqui.impl.webapp.MoquiAuthFilter.doFilter(MoquiAuthFilter.groovy:73) ~[moqui_temp14531228715189972516WEB-INF_lib_moqui-framework-3.1.0-rc2.jar.:3.1.0-rc2]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.moqui.impl.webapp.ElasticRequestLogFilter.doFilter(ElasticRequestLogFilter.groovy:110) ~[moqui_temp14531228715189972516WEB-INF_lib_moqui-framework-3.1.0-rc2.jar.:3.1.0-rc2]
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:598) ~[moqui_temp7348991605109757695execlib_jetty-security-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) ~[moqui_temp5426060402739373031execlib_jetty-servlet-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.Server.handle(Server.java:563) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753) ~[moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501) [moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287) [moqui_temp963966538828119435execlib_jetty-server-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) [moqui_temp11843110039074065919WEB-INF_lib_jetty-io-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) [moqui_temp11843110039074065919WEB-INF_lib_jetty-io-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) [moqui_temp11843110039074065919WEB-INF_lib_jetty-io-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969) [moqui_temp3280285341581410624WEB-INF_lib_jetty-util-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194) [moqui_temp3280285341581410624WEB-INF_lib_jetty-util-10.0.18.jar.:10.0.18]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149) [moqui_temp3280285341581410624WEB-INF_lib_jetty-util-10.0.18.jar.:10.0.18]
	at java.lang.Thread.run(Thread.java:829) [?:?]

If I log ec.web at the beginning of handleSwtLogin, I get null.

This could be that the curl request is wrong, but my guess is something with how handleSwtLogin is passed in an ExecutionFacadeImpl instead of an ExecutionFacade.

What do you think?

@jenshp
Copy link
Member Author

jenshp commented Jul 17, 2024

The error you mention seems to be because the URL is handled through the ElasticSearchProxy servlet and not the WebFacade. So, in this case the WebFacade is really null.
I am making some changes to not depend on the WebFacade to be in place, as it is mainly used to build the callback URL, so we can also make this case work.

@jenshp
Copy link
Member Author

jenshp commented Jul 17, 2024

So, there is a fix that avoids making the call dependent on the Web Facade to be instantiated. It takes the necessary data directly from the HTTP request. The changes involve both repositories, moqui-sso and moqui-framework (moqui/moqui-framework#638)

@acetousk
Copy link
Member

acetousk commented Jul 17, 2024

I've looked through this code, and it looks good to me.

My main question is how I would test this feature with keycloak or other auth providers.

It's also worth checking the security implications of this. There was a problem with generating an api_key or sessionToken endpoint's security and this is introducing a similar process except the token is generated by a third party

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants