Thehive: [Bug] Can't auth with SSO/OAuth with FusionAuth

Created on 18 May 2020  路  13Comments  路  Source: TheHive-Project/TheHive

Can't auth with SSO/OAuth with FusionAuth

Request Type

Bug

Work Environment

| Question | Answer
|---------------------------|--------------------
| OS version (server) | Ubuntu 16
| OS version (client) | Ubuntu 16
| TheHive version | 3.2.4-1
| Package Type | DEB
| Browser type & version | Chrome/FF
| FusionAuth Version | 1.15.8

Problem Description

Authing with OIDC via FusionAuth sends me to the following, provides the code, says authenticated
https://hive_url/index.html?code=$thecode&locale=en_US&userState=Authenticated#!/login

But i'm always sent back to the Hive login screen, where I auth with my identity provider credentials (click the login with SSO button), and I get:

2020-05-05 03:06:44,062 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - key AuthenticationError SSO authentication is not supported
2020-05-05 03:06:44,062 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - local AuthenticationError SSO authentication is not supported
2020-05-05 03:06:44,063 [DEBUG] from org.elastic4play.services.auth.MultiAuthSrv in application-akka.actor.default-dispatcher-5 - oauth2 OAuth2Redirect https://$oauth_endpoint/oauth2/authorize
2020-05-05 03:06:44,335 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-18 - Authentication failure:
    session: AuthenticationError User session not found
    pki: AuthenticationError Certificate authentication is not configured
    key: AuthenticationError Authentication header not found
    init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-05 03:06:44,336 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-18 - GET /api/list/ui_settings returned 401
org.elastic4play.AuthenticationError: Authentication failure
    at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
    at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
    at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
    at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
    at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
    at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
    at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
    at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
    at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
    at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
    at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
    at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
2020-05-05 03:06:44,336 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-4 - Authentication failure:
    session: AuthenticationError User session not found
    pki: AuthenticationError Certificate authentication is not configured
    key: AuthenticationError Authentication header not found
    init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-05-05 03:06:44,337 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-4 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
    at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
    at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
    at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
    at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
    at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
    at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
    at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
    at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
    at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
    at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
    at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
    at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

If I enable autologin in the config, I get sent into an infinite loop of authing and sending me to the login page.

I've tried redirect URIs for index.html, with and without the #!/login.

Config:

auth {

  provider = [local,oauth2]

  oauth2 {
    clientId = "REDACTED"
    clientSecret = "REDACTED"
    redirectUri = "https://$hive_url/index.html"
    responseType = "code"
    grantType = "authorization_code"
    authorizationUrl = "https://$oauth_endpoint/oauth2/authorize"
    tokenUrl = "https://$oauth_endpoint/oauth2/token"
    userUrl = "https://$oauth_endpoint/oauth2/userinfo"
    scope = "openid"
  }

   sso {
        mapper = groups
        autocreate = true
        autoupdate = true
        defaultRoles = ["read","write"]
        autologin = true
        attributes {
            login = "username"
            name = "username"
            groups = "groups"
            #roles = "roles"
        }
        defaultRoles = ["read","write"]
        groups.mappings {
            analyst = ["read", "write"]
            admin = ["read", "write", "admin"]
        }
    }
}

Steps to Reproduce

  1. Configure SSO/OAuth in application.conf
  2. Log in with IDP / click login with SSO
  3. Get code successfully from FusionAuth and userState=Authenticated in URL
  4. User session not found in Hive logs and unable to log in

Complementary information

https://github.com/FusionAuth/fusionauth-issues/issues/620

https://github.com/TheHive-Project/TheHive/issues/946

TheHive3 bug

Most helpful comment

Hello @shortstack I've checked that fusionauth works fine with TheHive 4.

I still need to check that with TheHive 3 (it's not the exact same configuration since oauth2 implementation has been rewritten in TheHive 4)

I'll let you know

All 13 comments

Hello @shortstack I've checked that fusionauth works fine with TheHive 4.

I still need to check that with TheHive 3 (it's not the exact same configuration since oauth2 implementation has been rewritten in TheHive 4)

I'll let you know

@nadouani working on this now, but it seems that the user has to already exist in the hive? vs fusionauth adding the user upon successful auth? could you possibly send your working auth configuration for hive 4? thank you!

current configuration with fusionauth is throwing 401 unauthorized:

    {name: oauth2,
        clientId: "REDACTED",
        clientSecret: "REDACTED",
        redirectUri: "https://REDACTED/index.html#login",
        responseType: "code",
        grantType: "authorization_code",
        authorizationUrl: "https://REDACTED/oauth2/authorize",
        tokenUrl: "https://REDACTED/oauth2/token",
        userUrl: "https://REDACTED/oauth2/userinfo",
        scope: ["openid"],
        userIdField: "email",
        defaultOrganisation: "REDACTED",
        authorizationHeader: "bearer"
    }
2020-05-28 19:34:58,298 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-14 - 10.30.0.222 GET /index.html took 3ms and returned 200 1191 bytes
2020-05-28 19:34:58,440 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.30.0.222 GET /styles/vendor.7dd02a27.css took 3ms and returned 200 279814 bytes
2020-05-28 19:34:58,442 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /styles/app.305da315.css took 1ms and returned 200 122092 bytes
2020-05-28 19:34:58,446 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /scripts/scripts.b3a0b16f.js took 1ms and returned 200 605721 bytes
2020-05-28 19:34:58,446 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-13 - 10.30.0.222 GET /scripts/vendor.29b36f82.js took 1ms and returned 200 2036467 bytes
2020-05-28 19:34:58,624 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /fonts/SourceSansPro-Regular.otf took 2ms and returned 200 229588 bytes
2020-05-28 19:34:59,203 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 - 10.30.0.222 GET /api/status took 3ms and returned 200 402 bytes
2020-05-28 19:34:59,308 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /fonts/glyphicons-halflings-regular.woff2 took 2ms and returned 200 18028 bytes
2020-05-28 19:34:59,317 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /images/logo.svg took 1ms and returned 200 2024 bytes
2020-05-28 19:34:59,340 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /fonts/SourceSansPro-Light.otf took 3ms and returned 200 226032 bytes
2020-05-28 19:35:08,312 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Found SSO request
2020-05-28 19:35:08,312 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Code or state is not provided, redirect to authorizationUrl
2020-05-28 19:35:08,313 [DEBUG] from org.thp.scalligraph.auth.OAuth2Srv in application-akka.actor.default-dispatcher-5 - Redirecting to https://REDACTED/index.html with Map(state -> List(ade255d8-a5f1-4c6f-a453-64a8102a8cd0), scope -> List(openid), redirect_uri -> List(https://REDACTED/index.html), client_id -> List(REDACTED), response_type -> List(code)) and state ade255d8-a5f1-4c6f-a453-64a8102a8cd0
2020-05-28 19:35:08,313 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 POST /api/ssoLogin took 4ms and returned 302 0 bytes
2020-05-28 19:35:08,454 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /index.html took 2ms and returned 200 1191 bytes
2020-05-28 19:35:08,540 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /styles/app.305da315.css took 2ms and returned 200 122092 bytes
2020-05-28 19:35:08,541 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-10 - 10.30.0.222 GET /scripts/vendor.29b36f82.js took 1ms and returned 200 2036467 bytes
2020-05-28 19:35:08,544 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-12 - 10.30.0.222 GET /scripts/scripts.b3a0b16f.js took 1ms and returned 200 605721 bytes
2020-05-28 19:35:08,546 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-5 - 10.30.0.222 GET /styles/vendor.7dd02a27.css took 1ms and returned 200 279814 bytes
2020-05-28 19:35:08,709 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 - 10.30.0.222 GET /fonts/SourceSansPro-Regular.otf took 2ms and returned 200 229588 bytes
2020-05-28 19:35:09,225 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /api/status took 3ms and returned 200 402 bytes
2020-05-28 19:35:09,227 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-12 - GET /api/list/ui_settings returned 401: Authentication failure
2020-05-28 19:35:09,228 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-13 - GET /api/v1/user/current returned 401: Authentication failure
2020-05-28 19:35:09,301 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 - 10.30.0.222 GET /api/status took 2ms and returned 200 402 bytes

Looks to be working up until where TH is presenting the identity token to the OIC endpoints.
Just on the off chance, try capitalising the b of Bearer
authorizationHeader: "Bearer"

Think I had that problem once.

@jimbobnet i tried that :( same 401, thank you though!

@nadouani working on this now, but it seems that the user has to already exist in the hive? vs fusionauth adding the user upon successful auth? could you possibly send your working auth configuration for hive 4? thank you!

any thoughts, @nadouani? or could i see your config to compare? and does the user have to exist prior to authing, or can it create that user upon successful auth with fusionauth?

thank you!

bump :( stuck getting this to auth with fusionauth receiving a 401

tracking here as well: https://github.com/FusionAuth/fusionauth-issues/issues/708

stuck at the moment

This is marked as a bug, is that confirmed or is there anything we can do to help on the FusionAuth end of things?

@robotdan i'm really not sure where the problem lies, to be honest. i am not a developer for either of these products

@nadouani says he had TheHive 4 working properly with FusionAuth, but this was with them both running on the same system / locally

we absolutely need SSO to work between these platforms in order to continue :(

I don't know that I was able to recreate your exact results, but with the following configuration I see this in the JavaScript console when I click on "Sign in with SSO".

Hive 3.4.0-1

auth {
  provider = [local,oauth2]

  oauth2 {
    clientId = "bed50ce7-98f2-4562-90d0-852ab29c67b4"
    clientSecret = "My Super Secret Client Secret"
    redirectUri = "http://10.60.6.107:9000/index.html#login"
    responseType = "code"
    grantType = "authorization_code"
    authorizationUrl = "http://localhost:9011/oauth2/authorize"
    tokenUrl = "http://localhost:9011/oauth2/token"
    userUrl = "http://localhost:9011/oauth2/userinfo"
    scope = "openid"
  }

   sso {
        mapper = groups
        autocreate = true
        autoupdate = true
        autologin = false
        attributes {
            login = "sub"
            name = "username"
            groups = "roles"
        }
        defaultRoles = ["read","write"]
        groups.mappings {
            analyst = ["read", "write"]
            admin = ["read", "write", "admin"]
        }
    }
}

image

vendor.52cb873c.js:1 Possibly unhandled rejection: {"data":{"type":"AuthenticationError","message":"Authentication failure"},"status":401,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"./api/list/ui_settings","headers":{"Accept":"application/json, text/plain, */*","X-THE-HIVE-XSRF-TOKEN":"823163b8c580efb2bf9f63b29e29301d3a062bca-1593447758159-68b8123dd09fe4b16b80307c"}},"statusText":"Unauthorized","xhrStatus":"complete","resource":{}}

And this is in the Hive logs

2020-06-29 17:47:40,604 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-17 - Authentication failure:
    session: AuthenticationError User session not found
    pki: AuthenticationError Certificate authentication is not configured
    key: AuthenticationError Authentication header not found
    init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-06-29 17:47:40,605 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-17 - GET /api/list/ui_settings returned 401
org.elastic4play.AuthenticationError: Authentication failure
    at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
    at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
    at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
    at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
    at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
    at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
    at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
    at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
    at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
    at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
    at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
    at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
2020-06-29 17:47:40,609 [ERROR] from org.elastic4play.controllers.Authenticated in application-akka.actor.default-dispatcher-2 - Authentication failure:
    session: AuthenticationError User session not found
    pki: AuthenticationError Certificate authentication is not configured
    key: AuthenticationError Authentication header not found
    init: AuthenticationError Use of initial user is forbidden because users exist in database
2020-06-29 17:47:40,611 [INFO] from org.elastic4play.ErrorHandler in application-akka.actor.default-dispatcher-2 - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
    at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:272)
    at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
    at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
    at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
    at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
    at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
    at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
    at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
    at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
    at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
    at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
    at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

I can also confirm that the Token and Userinfo endpoints configured via the tokenUrl and userUrl values are never called. The redirect occurs after the Authorize request, and it appears some initial authentication occurs and fails before it attempts to exchange the auth code for a token using the Token endpoint.

glad i'm not alone!

unfortunately, we're aiming for thehive4 (not v3, we've mostly abandoned that in the interest of getting SSO working) for all of this :( https://github.com/FusionAuth/fusionauth-issues/issues/708

which is likely why you had different results

Thank you! I just re-read your initial v3 issue and my results match up to yours. https://github.com/FusionAuth/fusionauth-issues/issues/620 My mistake.

I'll see if I can put together a v4 instance and attempt your recreate.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

a5m0 picture a5m0  路  5Comments

milesflo picture milesflo  路  3Comments

crackytsi picture crackytsi  路  5Comments

24kuznec picture 24kuznec  路  3Comments

DrJohn1 picture DrJohn1  路  3Comments