[mitreid-connect] Help needed running the simple client.

Tue Feb 17 07:38:11 EST 2015

Yes, without those passwords the server wouldn't be able to open the 
certificate stores. And they have to be stored in plaintext or the 
server can't replay them to the keystore to unlock it. It really is 
pretty silly and doesn't protect much in practice. That's why with our 
server and client we now use JWKS files that aren't password protected 
-- we think it's better not to pretend there's security where there isn't.

The discovery happens in several steps. First, the client needs to look 
for an issuer, and it does this (in this case) using the Webfinger 
protocol. That's the first query you're seeing below. Once it gets past 
that stage, it looks for the server configuration, which is the second 
part. If you already know the issuer, then you can skip the webfinger 
lookup and go straight to the server configuration. To do that with the 
MITREid client software, you need to configure an IssuerService that 
won't try to do webfinger on you. You can try the StaticIssuerService if 
you know the issuer ahead of time (and it's only one), or the 
ThirdPartyIssuerService if you want to pass it in with the 'iss' 
parameter. The HybridIssuerService class will take in either the 'iss' 
parameter directly or the 'identifier' parameter and do Webfinger. This 
is what's configured out of the box in SimpleWebApp, but the login page 
always passes in the 'identifier' parameter and the 
WebfingerIssuerService isn't smart enough to punt on errors (yet).

So try the static service and point it to one server for now, then try a 
custom login page that passes the 'iss' parameter to the hybrid service, 
if you need multiple IdPs.

Hope this helps,
  -- Justin

On 2/17/2015 6:12 AM, Lachezar Dobrev wrote:
>    OK. Progress (kind-of).
>
>    I took a somewhat deeper look into that, and noticed something
> awkward: the Apache HTTP Client expects Trusted Certificates Store and
> Client Certificates Store to be declared in System Properties. Not only
> that, but the PASSWORDS to both are expected to be specified in the
> System Properties too. In plain text!
>
>    Anyway. I excluded the http client from the dependencies of the
> org.mitre:openid-connect-client and declared an explicit dependency to
> org.apache.httpcomponents:httpclient at 4.4, and now I'm getting a bit further.
>
>    Not I get 404 errors, because the OpenID-Connect client is looking for
>     https://whatever.server.com/path/.well-known/webfinger
>    And the servers are exposing
>     https://whatever.server.com/path/.well-known/openid-configuration
>
>    What am I missing here?
>    I'm totally at a loss.
>
> На 16.02.2015 в 20:12, Justin Richer написа:
>> That’s very strange, then. It still looks like it’s a configuration
>> problem with Glassfish’s SSL client setup that isn’t specific to the
>> MITREid Connect code. The MITREid client shouldn’t be touching the SSL
>> stores unless you’re pointing it at an HTTPS URL. I would try to dig
>> more into Glassfish configuration to see if that’s really the issue.
>>
>> The warning you got about non-HTTPS is just that — a warning, and it
>> doesn’t cause an error unless you lock it down for a full production
>> deployment.
>>
>>   — Justin Richer
>>       http://bspk.io/
>>
>>
>>> On Feb 16, 2015, at 12:23 PM, Lachezar Dobrev
>>> <l.dobrev at paladin.bulgarpress.com
>>> <mailto:l.dobrev at paladin.bulgarpress.com>> wrote:
>>>
>>>   No, not HTTPS, I'm trying the following:
>>>   * user at mitreid.org <mailto:user at mitreid.org>
>>>   * http://localhost:8080/openid-connect-server-webapp/
>>>   * http://localhost:8080/my-openid-connect-provider/
>>>
>>>   I also tried:
>>>   * https://demo.c2id.com/c2id
>>>
>>>   Same error.
>>>
>>>   This is my local development environment, not production.
>>>
>>>   For the http URLs I get a warning in the logs about https being
>>> required (apologies, I did not save that message), but it seems to
>>> continue forward and get the same result. Which is why I'm doubly puzzled.
>>>
>>> На 16.02.2015 в 19:07, Justin Richer написа:
>>>>  From the error logs below, it looks like you’re pointing to an HTTPS
>>>> server
>>>> URL that your client isn’t able to read. This appears to be happening
>>>> from
>>>> the Webfinger Issuer Service trying to do its lookup, which is what’s
>>>> causing
>>>> the “No issuer found” message. What URL are you entering in to the client
>>>> application?
>>>>
>>>> If it’s a real deployment, you’ll need to have your server set up with a
>>>> valid certificate that the client will trust. Without that, you’ll
>>>> get SSL
>>>> errors like the below as the client tries to connect. Note that simply
>>>> having the cert trusted in your browser isn’t enough, as the client makes
>>>> its own HTTPS connections directly to the server as well. It looks like
>>>> you’re configuring the keystore/truststore below but you’ve got the wrong
>>>> password or the file is corrupted. Can you open up the truststore with
>>>> ‘keytool’ on the command line? Do the parameters there match what you’re
>>>> passing to Glassfish’s configuration? (Apologies, I’m not immediately
>>>> familiar with Glassfish enough to know how it’s put together).
>>>>
>>>> If it’s a test deployment or a development setup, we recommend deploying
>>>> on plain HTTP and using HTTPS for production services. This side-steps
>>>> the issues around SSL certificates that can be problematic in
>>>> development.
>>>> You’ll need to solve those for production, of course, but by then you’ll
>>>> probably have a commercial certificate that’s already trusted in the
>>>> trust
>>>> store.
>>>>
>>>> — Justin
>>>>
>>>>
>>>>> On Feb 16, 2015, at 11:55 AM, Lachezar Dobrev
>>>>> <l.dobrev at paladin.bulgarpress.com
>>>>> <mailto:l.dobrev at paladin.bulgarpress.com>> wrote:
>>>>>
>>>>> Hello all.
>>>>>
>>>>> I am (trying to) developing an OpenID-Connect provider.
>>>>>
>>>>> To try it I decided to use the MitreID-Connect example simple-web-app
>>>>> client. The platform is a Glassfish-4 with OpenJDK 7.
>>>>>
>>>>> I fail in using it. No matter what I try I get a:
>>>>>
>>>>>> HTTP Status 401 - Authentication Failed: No issuer found.
>>>>> And the following stack trace:
>>>>>
>>>>>> 2015-02-16T18:53:22.462+0200|INFO: WARN :
>>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService
>>>>>> - Issue fetching issuer for user input: user at mitreid.org
>>>>>> <mailto:user at mitreid.org>
>>>>>> com.google.common.util.concurrent.UncheckedExecutionException:
>>>>>> org.apache.http.conn.ssl.SSLInitializationException: Failure
>>>>>> initializing default system SSL context
>>>>>> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2258)
>>>>>> at com.google.common.cache.LocalCache.get(LocalCache.java:3990)
>>>>>> at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994)
>>>>>> at
>>>>>> com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService.getIssuer(WebfingerIssuerService.java:89)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.service.impl.HybridIssuerService.getIssuer(HybridIssuerService.java:48)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationRequest(OIDCAuthenticationFilter.java:197)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter.attemptAuthentication(OIDCAuthenticationFilter.java:176)
>>>>>> at
>>>>>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
>>>>>> at
>>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>>> at
>>>>>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>>>>>> at
>>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>>> at
>>>>>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>>> at
>>>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
>>>>>> at
>>>>>> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
>>>>>> at
>>>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
>>>>>> at
>>>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>>>>>> at
>>>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>>>>>> at
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
>>>>>> at
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
>>>>>> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
>>>>>> at
>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
>>>>>> at
>>>>>> org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415)
>>>>>> at
>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282)
>>>>>> at
>>>>>> com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459)
>>>>>> at
>>>>>> com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167)
>>>>>> at
>>>>>> org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201)
>>>>>> at
>>>>>> org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175)
>>>>>> at
>>>>>> org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235)
>>>>>> at
>>>>>> org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
>>>>>> at
>>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
>>>>>> at
>>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
>>>>>> at
>>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
>>>>>> at
>>>>>> org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
>>>>>> at
>>>>>> org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
>>>>>> at
>>>>>> org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
>>>>>> at
>>>>>> org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
>>>>>> at
>>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
>>>>>> at
>>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
>>>>>> at
>>>>>> org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
>>>>>> at
>>>>>> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
>>>>>> at
>>>>>> org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>> Caused by: org.apache.http.conn.ssl.SSLInitializationException:
>>>>>> Failure initializing default system SSL context
>>>>>> at
>>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:368)
>>>>>> at
>>>>>> org.apache.http.conn.ssl.SSLSocketFactory.getSystemSocketFactory(SSLSocketFactory.java:204)
>>>>>> at
>>>>>> org.apache.http.impl.conn.SchemeRegistryFactory.createSystemDefault(SchemeRegistryFactory.java:82)
>>>>>> at
>>>>>> org.apache.http.impl.client.SystemDefaultHttpClient.createClientConnectionManager(SystemDefaultHttpClient.java:118)
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:466)
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.createHttpContext(AbstractHttpClient.java:286)
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:851)
>>>>>> at
>>>>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
>>>>>> at
>>>>>> org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:88)
>>>>>> at
>>>>>> org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
>>>>>> at
>>>>>> org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
>>>>>> at
>>>>>> org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:488)
>>>>>> at
>>>>>> org.springframework.web.client.RestTemplate.execute(RestTemplate.java:465)
>>>>>> at
>>>>>> org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:236)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:207)
>>>>>> at
>>>>>> org.mitre.openid.connect.client.service.impl.WebfingerIssuerService$WebfingerIssuerFetcher.load(WebfingerIssuerService.java:174)
>>>>>> at
>>>>>> com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589)
>>>>>> at
>>>>>> com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374)
>>>>>> at
>>>>>> com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337)
>>>>>> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252)
>>>>>> ... 46 more
>>>>>> Caused by: java.io.IOException: Keystore was tampered with, or
>>>>>> password was incorrect
>>>>>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
>>>>>> at
>>>>>> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
>>>>>> at java.security.KeyStore.load(KeyStore.java:1214)
>>>>>> at
>>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:281)
>>>>>> at
>>>>>> org.apache.http.conn.ssl.SSLSocketFactory.createSystemSSLContext(SSLSocketFactory.java:366)
>>>>>> ... 65 more
>>>>>> Caused by: java.security.UnrecoverableKeyException: Password
>>>>>> verification failed
>>>>>> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
>>>>>> ... 69 more
>>>>>> 2015-02-16T18:53:22.462+0200|INFO: ERROR:
>>>>>> org.mitre.openid.connect.client.OIDCAuthenticationFilter - Null
>>>>>> issuer response returned from service.