Bug
| Question | Answer
|---------------------------|--------------------
| OS version (server) | Ubuntu
| OS version (client) | 10
| TheHive version / git hash | 4.0-RC1
While testing oauth2 on TH4 i got a "notfounderror from" scalligraph endpoint. 驴is this endpoint disabled?

Looking for information, i found 4 new variables on the documentation versus others related issues (https://github.com/TheHive-Project/TheHiveDocs/blob/4f8095184a0a99d26279e67e5db15f0de70d8662/TheHive4/Administration/Authentication.md)
are these mandatory?
https://github.com/TheHive-Project/TheHive/pull/430
https://github.com/TheHive-Project/TheHive/issues/946
https://github.com/TheHive-Project/TheHive/issues/354
https://github.com/TheHive-Project/TheHive/issues/1010
https://github.com/TheHive-Project/TheHiveDocs/blob/050399d1fadeeb070634d6c6ca35cdd96d3f2a71/admin/configuration.md
https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/configuration.md#32-oauth2openid-connect
I checked this endpoint between two TH instances (TH3.4 and TH4.0) and y got same error:

I found information on this line (https://github.com/TheHive-Project/ScalliGraph/blob/198bd5cb71f776f2cde96ca168b2d8ce31d1ffe7/core/src/main/scala/org/thp/scalligraph/auth/OAuth2Srv.scala#L57)

Two new vars are mandatory.
Current configuration is below:
auth {
provider = [local, oauth2]
oauth2 {
# URL of the authorization server
clientId = "value"
clientSecret = "value"
redirectUri = "https://Thehive/index.html"
responseType = "code"
grantType = "authorization_code"
# URL from where to get the access token
authorizationUrl = "domain/oauth2/v2.0/authorize"
tokenUrl = "domain/oauth2/v2.0/Token"
# The endpoint from which to obtain user details using the OAuth token, after successful login
userUrl = "domain/api/User"
scope = "openid profile"
}
# Single-Sign On
sso {
# Autocreate user in database?
autocreate = true
# Autoupdate its profile and roles?
autoupdate = true
# Autologin user using SSO?
autologin = true
# Attributes mappings
attributes {
login = "sub"
name = "name"
groups = "groups"
#roles = "roles"
}
# Name of mapping class from user resource to backend user ('simple' or 'group')
mapper = group
# Default roles for users with no groups mapped ("read", "write", "admin")
defaultRoles = []
groups {
# # URL to retreive groups (leave empty if you are using OIDC)
url = "https://domain/api/Groups"
# # Group mappings, you can have multiple roles for each group: they are merged
mappings {
admin-profile-name = ["admin"]
editor-profile-name = ["write"]
reader-profile-name = ["read"]
}
}
}
i saw this https://github.com/TheHive-Project/TheHive/issues/1110 and this https://github.com/TheHive-Project/TheHive/issues/1228.
I think these are the same problems beacause i am able to get oatuh2 code and landing to redirect_uri, but TH dont let me login.
I will re-test this functionality when new versi贸n will be released continuing some QA tests
The request redirect URI is:
https://hive.foo.com/index.html#!/login
URI's are than reconstructed to the following by Keycloak:
https://hive.foo.com/index.html?session_state=state&code=code#!/login
TheHive expects:
https://hive.foo.com/index.html#!/login?session_state=state&code=code
This order of components is non-standard:
https://tools.ietf.org/html/rfc3986#section-3
I'm uncertain how to resolve this, but to revert to version 3.4.0.
Good news. Thank to @To-om. On Thehive 3.4.1 same configurations is working properly.
Hello,
I think two problems are addressed here:
To answer @TheChef23:
I made this change in order to be able to remove the code parameter from the URI, without reloading the entire AngularJS frontend app. This is not standard, indeed. However, please note that this change was mentionned in the PR (#1112).
If @To-om wants, I can go back to standard and perform a:
$window.location.href = "index.html"
on L21 of AuthenticationCtrl.js, but this will refresh the page.
Most helpful comment
i saw this https://github.com/TheHive-Project/TheHive/issues/1110 and this https://github.com/TheHive-Project/TheHive/issues/1228.
I think these are the same problems beacause i am able to get oatuh2 code and landing to redirect_uri, but TH dont let me login.
I will re-test this functionality when new versi贸n will be released continuing some QA tests