OIDC Authentication Issue on Windows Tomcat Server

karthikmsammy · August 19, 2024, 9:58am

Hi @tmortagne, Greetings!

I would like to get your opinion on the issue I have been facing the issue for so long using the OIDC Connect Authenticator and it is not working on Windows Server (Tomcat 9), we have tried two different approaches as mentioned below.

1. Local XWiki Environment with Azure OAuth Provider(HTTP)

xwiki.cfg

oidc.xwikiprovider=https://login.microsoftonline.com/tenantID/oauth2/
>  
> oidc.endpoint.authorization=https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize
> oidc.endpoint.token=https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
> oidc.endpoint.userinfo=https://graph.microsoft.com/oidc/userinfo
> oidc.endpoint.logout=https://login.microsoftonline.com/tenantID/oauth2/v2.0/logout
>  
> oidc.endpoint.userinfo.headers=Accept:application/json
> oidc.scope=openid,profile,email
> oidc.endpoint.userinfo.method=GET
>  
> oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.preferredUsername._clean}
> oidc.user.subjectFormater=${oidc.user.subject}
> oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
>  
> oidc.clientid=cientID
> oidc.secret=SecretID
>  
> oidc.endpoint.token.auth_method=client_secret_post
> oidc.skipped=false

Redirect URL: http://localhost:8000/xwiki/oidc/authenticator/callback

This above configuration with the Local XWiki environment works fine and we can access the XWiki.

2. Windows Server XWiki Tomcat9 with the EmpowerID OAuth Provider (HTTP & HTTPS)

As same as approach 1 we have configured the same way into the Windows Server-based XWiki as well.

Tried using two different sets of apps registered with the same redirects

xwiki.cfg

> oidc.xwikiprovider=https://lgn.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration
>  
> oidc.endpoint.authorization=https://login.microsoftonline.com/tenantID/oauth2/v2.0/authorize
> oidc.endpoint.token=https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
> oidc.endpoint.userinfo=https://graph.microsoft.com/oidc/userinfo
> oidc.endpoint.logout=https://login.microsoftonline.com/tenantID/oauth2/v2.0/logout
>  
> oidc.endpoint.userinfo.headers=Accept:application/json
> oidc.scope=openid,profile,email
> oidc.endpoint.userinfo.method=GET
>  
> oidc.user.nameFormater=${oidc.issuer.host._clean}-${oidc.user.preferredUsername._clean}
> oidc.user.subjectFormater=${oidc.user.subject}
> oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
>  
> oidc.clientid=clientID
> oidc.secret=secretID	
>  
> oidc.endpoint.token.auth_method=client_secret_post
> oidc.skipped=false

Redirect URLs: http://localhost:9000/xwiki/oidc/authenticator/callback, https://server_name/xwiki/oidc/authenticator/callback

but on the Approach 2, it shows the below errors:

Also using another app details,

HTTP Status 500 – Internal Server Error

Type Exception Report

Message Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException: Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:161)  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)  javax.servlet.http.HttpServlet.service(HttpServlet.java:623)  org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)  org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)  org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)  org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)

Root Cause

org.xwiki.resource.ResourceReferenceHandlerException: Failed to handle the OIDC endpoint  org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:114)  org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)  org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)  javax.servlet.http.HttpServlet.service(HttpServlet.java:623)  org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)  org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)  org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)  org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)

Root Cause

java.net.ConnectException: Connection timed out: connect  java.base/sun.nio.ch.Net.connect0(Native Method)  java.base/sun.nio.ch.Net.connect(Net.java:579)  java.base/sun.nio.ch.Net.connect(Net.java:568)  java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588)  java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)  java.base/java.net.Socket.connect(Socket.java:633)  java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:304)  java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:178)  java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:498)  java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:603)  java.base/sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:266)  java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:380)  java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:189)  java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)  java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)  java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:175)  java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)  java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)  java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)  com.nimbusds.oauth2.sdk.http.HTTPRequest.toHttpURLConnection(HTTPRequest.java:1018)  com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:1082)  org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.requestToken(CallbackOIDCEndpoint.java:308)  org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:214)  org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:138)  org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)  org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)  org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)  org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)  javax.servlet.http.HttpServlet.service(HttpServlet.java:623)  org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)  org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)  org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)  org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)

Thank you in advance for your attention and assistance.

tmortagne · August 19, 2024, 11:37am

karthikmsammy:

java.net.ConnectException: Connection timed out: connect
  java.base/sun.nio.ch.Net.connect0(Native Method)  
  java.base/sun.nio.ch.Net.connect(Net.java:579)  
  java.base/sun.nio.ch.Net.connect(Net.java:568)  
  java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588) 
  java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)  
  java.base/java.net.Socket.connect(Socket.java:633)  
  java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:304)  
  java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:178)  
  java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:498)  
  java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:603)  
  java.base/sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:266)  
  java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:380)  
  java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:189)  
  java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242) 
  java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)  
  java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:175)  
  java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)  
  java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)  
  java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)  
  com.nimbusds.oauth2.sdk.http.HTTPRequest.toHttpURLConnection(HTTPRequest.java:1018)  
  com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:1082)
  org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.requestToken(CallbackOIDCEndpoint.java:308)

Apparently, the authenticator got a timeout when it tried to access the configured token endpoint.

karthikmsammy · August 19, 2024, 12:10pm

This is the constant issue I have been facing in it

schnutz · August 19, 2024, 12:57pm

I think this is error is related to a setting in the Azure application you’ve created for your xwiki instance.

You can define, that only if you are a member of a certain group you are allowed to access the app xwiki. But: you have to be a direct member - no subgroups allowed! Maybe you can use dynamic security groups, if your azure license allows this, but I don’t know exactly.

Edit: just found this url: https://kb.foxit.com/s/articles/6199211277972-Troubleshoot-Azure-AD-SSO-login-Error-AADSTS50105
But we’ve changed this setting so all users can use the app and filtered it with allowed groups and group-mappings.