[mitreid-connect] Unable to get authorize to work on 1.1.12

Justin P Richer jricher at mit.edu
Thu Dec 18 12:50:22 EST 2014 

Additionally, I've just been pointed to the SMART on FHIR authorization server, which is based on top of the LDAP project and MITREid Connect 1.1.10:

https://github.com/smart-on-fhir/auth-server-ldap/tree/smart-launch

They haven't upgraded from 1.1.10 to 1.1.12 yet, but perhaps this will give you a working system to start from and we can figure out what's going on.

 -- Justin

________________________________
From: mitreid-connect-bounces at mit.edu [mitreid-connect-bounces at mit.edu] on behalf of Richer, Justin P. [jricher at mitre.org]
Sent: Thursday, December 18, 2014 12:44 PM
To: Felipe Polo-Wood
Cc: mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] Unable to get authorize to work on 1.1.12

If you're deploying with Tomcat, then 'catalina.out' should contain the application logs for the server. You can also overlay the log4j.xml configuration file and crank things up, but without even basic logs it's hard to say for sure what's going on or what direction to look in.

 -- Justin

On Dec 18, 2014, at 12:10 PM, Felipe Polo-Wood <felipe.polowood at duke.edu<mailto:felipe.polowood at duke.edu>> wrote:


​Is there a specific log that could give us more clues?


Felipe Polo-Wood
Sr. Manager
Clinical Applications Technical Services
Office: +1.919.668.2268
Mobile: +1.919.741.4213
________________________________
From: mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> <mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu>> on behalf of Felipe Polo-Wood <felipe.polowood at duke.edu<mailto:felipe.polowood at duke.edu>>
Sent: Thursday, December 18, 2014 11:35 AM
To: Richer, Justin P.
Cc: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Unable to get authorize to work on 1.1.12


LDAP appears to be functioning, since I end up in the management page and am able to manage the site by adding the client and editing it, but it never sends me the redirection with the code.

All our initial tests were done with an actual app that works on other environments (SMART enabled), but for this simple test I have used a plain browser in both cases.


Felipe Polo-Wood
Sr. Manager
Clinical Applications Technical Services
Office: +1.919.668.2268
Mobile: +1.919.741.4213
________________________________
From: Richer, Justin P. <jricher at mitre.org<mailto:jricher at mitre.org>>
Sent: Thursday, December 18, 2014 11:30 AM
To: Felipe Polo-Wood
Cc: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Unable to get authorize to work on 1.1.12

There shouldn't be any additional requirements, and in fact 1.1.12 should work significantly better out of the box compared to 1.1.3, which had several large known issues. Are you able to log into the server directly, without using the authorization page? It sounds like there could be something going on with your LDAP connection that's preventing it from completing the transaction. Is there anything in your server logs that could indicate a crash or problem on the server?

Also, which client software are you using? I'm assuming it's the same for both cases.

 -- Justin

On Dec 18, 2014, at 11:13 AM, Felipe Polo-Wood <felipe.polowood at duke.edu<mailto:felipe.polowood at duke.edu>> wrote:



We were having problems with 1.1.3 and it was suggested to upgrade to 1.1.12.  We haven't had much success, so I decided to run some tests in a very clean scenario with as little change as possible.  So, here it is:


I took a vainilla 1.1.3 and made one simple change to the sample client: add http://www.duke.edu<http://www.duke.edu/> as a redirect.  I then whitelisted the client.

When calling http://xxx/ldap-openid-connect-server-113/authorize?client_id=client&redirect_uri=http://www.duke.edu&scope=openid%20profile&response_type=code it prompts me for credentials and then redirects me to http://www.duke.edu/?code=xxxxxxx​

Subsequent access sends me directly w/o prompting for credentials.

On the management page it shows "There have been 1 user of this system who have logged in to 1 total site, for a total of 1 site approval" and the client shows up in the “Manage Approved Sites” page.


When trying to repeat that simple scenario in 1.1.12... added the redirect and whitelisted the client.

http://xxx/ldap-openid-connect-server/authorize?client_id=client&redirect_uri=http://www.duke.edu&scope=openid%20profile&response_type=code<http://vml-catstools2:8080/ldap-openid-connect-server/authorize?client_id=client&redirect_uri=theclient://callback&scope=openid%20profile&response_type=code> it prompts me for credentials every time and after the credentials it redirects me to the http://xxx/ldap-openid-connect-server management page, where it displays "There have been 0 users of this system who have authorized 0 applications, with a total of 0 site approvals" and the client never shows up in the "Manage Approved Sites" page.


Was there some change that requires some extra step or configuration for this simple scenario to work on 1.1.12?


Thanks,



Felipe Polo-Wood
Sr. Manager
Clinical Applications Technical Services
Office: +1.919.668.2268
Mobile: +1.919.741.4213
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20141218/9bc5baa8/attachment.htm

More information about the mitreid-connect mailing list