Thehive: [Bug] Oauth2 on TH4

Created on 13 Apr 2020  路  6Comments  路  Source: TheHive-Project/TheHive

Request Type

Bug

Work Environment

| Question | Answer
|---------------------------|--------------------
| OS version (server) | Ubuntu
| OS version (client) | 10
| TheHive version / git hash | 4.0-RC1

Problem Description

While testing oauth2 on TH4 i got a "notfounderror from" scalligraph endpoint. 驴is this endpoint disabled?

image

Looking for information, i found 4 new variables on the documentation versus others related issues (https://github.com/TheHive-Project/TheHiveDocs/blob/4f8095184a0a99d26279e67e5db15f0de70d8662/TheHive4/Administration/Authentication.md)

  • userIdField (string) the field that contains the id of the user in user info
  • userOrganisationField (string)
  • defaultOrganisation (string)
  • authorizationHeader (string)

are these mandatory?

Steps to Reproduce

  1. Config auth and sso on application.conf
  2. Try to log on Oauth2

issues related

https://github.com/TheHive-Project/TheHive/pull/430
https://github.com/TheHive-Project/TheHive/issues/946
https://github.com/TheHive-Project/TheHive/issues/354
https://github.com/TheHive-Project/TheHive/issues/1010

https://github.com/TheHive-Project/TheHiveDocs/blob/050399d1fadeeb070634d6c6ca35cdd96d3f2a71/admin/configuration.md
https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/configuration.md#32-oauth2openid-connect

TheHive4 bug

Most helpful comment

i saw this https://github.com/TheHive-Project/TheHive/issues/1110 and this https://github.com/TheHive-Project/TheHive/issues/1228.

I think these are the same problems beacause i am able to get oatuh2 code and landing to redirect_uri, but TH dont let me login.

I will re-test this functionality when new versi贸n will be released continuing some QA tests

All 6 comments

I checked this endpoint between two TH instances (TH3.4 and TH4.0) and y got same error:

image

I found information on this line (https://github.com/TheHive-Project/ScalliGraph/blob/198bd5cb71f776f2cde96ca168b2d8ce31d1ffe7/core/src/main/scala/org/thp/scalligraph/auth/OAuth2Srv.scala#L57)

image

Two new vars are mandatory.

Current configuration is below:

auth {

  provider = [local, oauth2]

  oauth2 {
    # URL of the authorization server
    clientId = "value"
    clientSecret = "value"
    redirectUri = "https://Thehive/index.html"
    responseType = "code"
    grantType = "authorization_code"

    # URL from where to get the access token
    authorizationUrl = "domain/oauth2/v2.0/authorize"
    tokenUrl = "domain/oauth2/v2.0/Token"

    # The endpoint from which to obtain user details using the OAuth token, after successful login
    userUrl = "domain/api/User"
    scope = "openid profile"
  }

  # Single-Sign On
  sso {
    # Autocreate user in database?
    autocreate = true

    # Autoupdate its profile and roles?
    autoupdate = true

    # Autologin user using SSO?
    autologin = true
    # Attributes mappings
    attributes {
      login = "sub"
      name = "name"
      groups = "groups"
      #roles = "roles"
    }

    # Name of mapping class from user resource to backend user ('simple' or 'group')
    mapper = group
    # Default roles for users with no groups mapped ("read", "write", "admin")
    defaultRoles = []

    groups {
    #  # URL to retreive groups (leave empty if you are using OIDC)
     url = "https://domain/api/Groups"
    #  # Group mappings, you can have multiple roles for each group: they are merged
      mappings {
        admin-profile-name = ["admin"]
        editor-profile-name = ["write"]
        reader-profile-name = ["read"]
      }
    }
  }

i saw this https://github.com/TheHive-Project/TheHive/issues/1110 and this https://github.com/TheHive-Project/TheHive/issues/1228.

I think these are the same problems beacause i am able to get oatuh2 code and landing to redirect_uri, but TH dont let me login.

I will re-test this functionality when new versi贸n will be released continuing some QA tests

1110 This breaks integration with implementations.

The request redirect URI is:
https://hive.foo.com/index.html#!/login
URI's are than reconstructed to the following by Keycloak:
https://hive.foo.com/index.html?session_state=state&code=code#!/login
TheHive expects:
https://hive.foo.com/index.html#!/login?session_state=state&code=code

This order of components is non-standard:
https://tools.ietf.org/html/rfc3986#section-3

I'm uncertain how to resolve this, but to revert to version 3.4.0.

Good news. Thank to @To-om. On Thehive 3.4.1 same configurations is working properly.

Hello,

I think two problems are addressed here:

  • @torsolaso is indicating that the documentation was updated with last OIDC config parameter, but their support was only added in 3.4.1
  • @TheChef23 is noting a non standard components order in the URI

To answer @TheChef23:
I made this change in order to be able to remove the code parameter from the URI, without reloading the entire AngularJS frontend app. This is not standard, indeed. However, please note that this change was mentionned in the PR (#1112).

If @To-om wants, I can go back to standard and perform a:

$window.location.href = "index.html"

on L21 of AuthenticationCtrl.js, but this will refresh the page.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ilyaglow picture ilyaglow  路  6Comments

auslaender6 picture auslaender6  路  6Comments

DrJohn1 picture DrJohn1  路  3Comments

rhaist picture rhaist  路  4Comments

vi-or-die picture vi-or-die  路  4Comments