<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Which authentication success event? I didn’t touch that part in my local config so the one coming from the login page is still hooked up. Debugging from Netbeans on my machine isn’t working yet but I put a log in the time stamper and didn’t see anything
in the catalina.out. I can definitely see that when logging in to the application itself through the login page.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Justin Richer <<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, June 18, 2015 at 12:59 PM<br>
<span style="font-weight:bold">To: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu">luiz.omori@dm.duke.edu</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [mitreid-connect] Support for Resource Owner Password Credentials<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
It needs to be the authentication success event, and the time stamper is designed to properly hook into the “authentication success handler” reference.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jun 18, 2015, at 11:39 AM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class=""><br class="">
</div>
<div class="">Any idea of which event could be used to attach the time stamper to? Also, any concerns about the http sessions?</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Thursday, June 18, 2015 at 11:30 AM<br class="">
<span style="font-weight:bold" class="">To: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu" class="">luiz.omori@dm.duke.edu</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] Support for Resource Owner Password Credentials<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Setting the auth time from the issue time would be very bad, as it gives a dangerously incorrect view of what the authentication context was.
<div class=""><br class="">
</div>
<div class="">The real fix is to have the oauth:password component tied into the time stamper so that the authentication event can be correctly recorded. Right now, your setup is bypassing this, which is causing the cascading errors.<br class="">
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jun 18, 2015, at 10:35 AM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Actually, perhaps this, minus logs, would be even better:</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> Long authTimestamp = (issueTime!=null) ? issueTime.getTime() : null;</div>
<div class=""> </div>
<div class=""> if (request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)!=null) {</div>
<div class=""> authTimestamp = Long.parseLong((String) </div>
<div class=""> request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)); </div>
<div class=""> }</div>
<div class=""> </div>
<div class=""> if (authTimestamp != null) {</div>
<div class=""> idClaims.setClaim("auth_time", authTimestamp / 1000L);</div>
<div class=""> logger.debug("auth_time:" + idClaims.getClaim("auth_time"));</div>
<div class=""> } else {</div>
<div class=""> logger.debug("auth_time: not available"); </div>
<div class=""> }</div>
<div class=""> </div>
</div>
<div class="">…which is using the issueTime as a fallback to set the auth_time claim. This sounds reasonable to me however don’t have the full picture so may actually be bad, don’t know.</div>
<div class=""><br class="">
</div>
<div class="">Now the real design aspect here is that this time appears to be set by AuthenticationTimeStamper which in turn is called by the authorization success event from the login page, which is absent in this flow. I was wondering if another event could
be used for calling this setter, but also came across the fact that http session was being used to store it. I don’t know the implications of using that storage/passing parameters mechanism in this possibly browser-less flow. Maybe you are using some kind
of virtual sessions? Other parameters may be affected as well. In any case, I tested the returned tokens using two custom applications to exchange tokens between them, making sure that there was no problems related to sessions and it seems to work fine.</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz </div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu" class="">luiz.omori@dm.duke.edu</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, June 17, 2015 at 3:19 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] Support for Resource Owner Password Credentials<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">The minor change below in DefaultOIDCTokenService.java::createIdToken to check if AuthenticationTimeStamper.AUTH_TIMESTAMP is defined handles the problem from the pure code point of view. Not sure yet if that property is mandatory or not. Will
check where it could be defined. </div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> if (request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)!=null) {</div>
<div class=""> Long authTimestamp = </div>
<div class=""> Long.parseLong((String) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)); </div>
<div class=""> </div>
<div class=""> if (authTimestamp != null) {</div>
<div class=""> idClaims.setClaim("auth_time", authTimestamp / 1000L);</div>
<div class=""> }</div>
<div class=""> }</div>
</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu" class="">luiz.omori@dm.duke.edu</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, June 17, 2015 at 2:15 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] Support for Resource Owner Password Credentials<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Thanks. I was looking exactly at that but explicitly set the authentication-manager to “authenticationManager” which apparently causes the invocation of Mitre’s DefaultOAuth2ProviderTokenService down the line. That’s the same one used for the
MitreId server itself, right?</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><oauth:password authentication-manager-ref="authenticationManager" /></div>
</div>
<div class=""><br class="">
</div>
<div class="">In any case, both seem to have the same behaviour on my system, which is an exception. See partial stack trace below. Will take a look what is causing that but let me know if you know the cause already.</div>
<div class=""><br class="">
</div>
<div class="">…</div>
<div class="">
<div class=""></pre><p><b>root cause</b></p><pre>java.lang.NumberFormatException: null</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>java.lang.Long.parseLong(Long.java:552)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>java.lang.Long.parseLong(Long.java:631)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>org.mitre.openid.connect.service.impl.DefaultOIDCTokenService.createIdToken(DefaultOIDCTokenService.java:112)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:128)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:178)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.createAccessToken(DefaultOAuth2ProviderTokenService.java:64)</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>org.springframework.security.oauth2.provider.token.AbstractTokenGranter.getAccessToken(AbstractTokenGranter.java:70)</div>
</div>
<div class="">…</div>
<div class=""><br class="">
</div>
<div class="">Well, yes, this may be used by legacy system in our case. By the way, what is the official view for this OAuth2 flow under OpenId Connect? I’ve seen arguments about Authorization and Implicit flows being recommended by OpenId Connect, but not
explicitly saying that Client Credentials and Resource Owner are not allowed.</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, June 17, 2015 at 1:34 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu" class="">luiz.omori@dm.duke.edu</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [mitreid-connect] Support for Resource Owner Password Credentials<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Override or edit authz-context.xml and add the following line:
<div class=""><br class="">
</div>
<div class=""><span class="blob-code-inner"><<span class="pl-ent">oauth</span><span class="pl-ent">:</span><span class="pl-ent">password</span>/></span></div>
<div class=""><span class="blob-code-inner"><br class="">
</span></div>
<div class=""><span class="blob-code-inner">next to all the other grants. And be very careful using this flow, you should only ever use it with highly trusted and legacy clients that can’t open a browser.</span></div>
<div class=""><span class="blob-code-inner"><br class="">
</span></div>
<div class=""><span class="blob-code-inner"> — Justin</span></div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jun 16, 2015, at 1:29 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Hi,</div>
<div class=""><br class="">
</div>
<div class="">I’ve seen a ticket requesting support for the Resource Owner (grant_type=password) flow and it’s said that it’s already supported but a special server configuration is necessary, possibly accomplished using Maven Overlays. Could you clarify exactly
which server reconfiguration is required? Currently I’m building my own test server so don’t really care about Maven Overlays at this point, can hack something directly in the build if necessary.</div>
<div class=""><br class="">
</div>
<div class="">As you suspect, my client app is getting the error below, even tough the application support for grant type password is checked:</div>
<div class=""><br class="">
</div>
<div class="">{"error":"unsupported_grant_type","error_description":"Unsupported grant type: password”}</div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
<div class=""><br class="">
</div>
<div class=""><a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/567" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/567</a></div>
<div class=""><br class="">
</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
</div>
</span></div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span>
</body>
</html>