Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2015-09-28

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:56 MegaMatt joined #openam
01:33 metadaddy_ joined #openam
01:36 ikonia_ joined #openam
01:36 asyd_ joined #openam
01:36 lazzurs_ joined #openam
01:37 Ooze joined #openam
04:51 ramteid joined #openam
06:42 KermitTheFragger joined #openam
08:05 aldaris joined #openam
09:39 ramteid joined #openam
09:52 fairuz joined #openam
09:54 fairuz left #openam
10:00 asyd joined #openam
10:12 yawnt hi
10:12 aldaris hi
10:12 yawnt i'm trying to setup oauth2 + saml flow
10:12 yawnt everything seems to work
10:12 aldaris ah
10:12 yawnt however i'm getting
10:12 aldaris that's a surprise
10:12 yawnt "error":"invalid_scope"
10:12 yawnt after I login
10:13 yawnt http://openam-dip:8080/open​am/saml2/jsp/idpSSOInit.jsp ?metaAlias=/idp&spEntityID=http://openam-dsp:8081/openam
10:13 yawnt this is the url i'm using
10:14 yawnt i can login fine, but when i redirect
10:14 yawnt {"error_description":"No scope requested and no default scope configured","error":"invalid_scope"}
10:14 yawnt any ideas?
10:17 aldaris how is your original URL looking like?
10:17 aldaris and you will need to remind me what the oauth2 + saml flow is meant to do
10:18 aldaris the invalid scope error is about not having requested a single scope, and there are no default scopes configured in the OAuth2 client either
10:18 yawnt it basically uses a SAML authorization as a bearer
10:18 yawnt which is exchanged for an access token
10:18 aldaris ah
10:18 aldaris so your access_token request has a SAML assertion embedded somewhere
10:19 yawnt indeed i do not have any scopes in the oauth2 client
10:19 yawnt i'm logging as the demo user
10:19 yawnt and using the default OpenAM scope validator where
10:19 yawnt "whereby scopes are taken to be resource owner profile attribute names, then keep the default setting."
10:20 yawnt so basically i should add the attributes of the demo user to the default scopes ?
10:20 aldaris If the client omits the scope parameter when requesting
10:20 aldaris authorization, the authorization server MUST either process the
10:20 aldaris request using a pre-defined default value or fail the request
10:20 aldaris indicating an invalid scope.
10:22 yawnt well, the problem is that OpenAM automatically posts the request for me to oauth2
10:22 yawnt i tried adding a scope parameter to the idpSSOInit.jsp
10:22 yawnt but it's not picking it up
10:22 aldaris how so?
10:22 aldaris sorry, I always forget this oauth2 flow
10:22 aldaris what exactly makes that access_token request?
10:23 yawnt https://github.com/OpenRock/OpenAM/blob/​master/openam/openam-oauth2-saml2/src/ma​in/java/org/forgerock/openam/oauth2/saml​2/core/OAuth2Saml2GrantSPAdapter.java
10:24 yawnt this
10:25 ramteid joined #openam
10:25 aldaris aah
10:25 aldaris thanks
10:25 aldaris and sorry for being clueless :p
10:26 yawnt yeah no worries
10:26 yawnt i tried adding a 'id' default scope
10:26 aldaris then you would either need to modify the SPAdapter to post the requested scopes in extra
10:26 yawnt but now it says com.sun.identity.saml2.common.SAML2Exception: No local user being mapped.
10:26 aldaris or add a default scope like "uid"
10:26 yawnt let's try with uid instead of id
10:26 aldaris saml won't fail due to oauth2 config changes
10:26 aldaris that no local user mapping seems to be a different config issue
10:30 yawnt the weird thing is
10:30 yawnt i followed the guide
10:30 yawnt step by step
10:31 yawnt so i have no idea why mapping wouldn't work
10:31 aldaris not sure
10:31 aldaris depends on a lot of things
10:31 aldaris but it worked before
10:31 aldaris so how did you mess it up?
10:32 yawnt i added uid to oauth2 client default scopes
10:32 aldaris which NameID-Format are you using?
10:33 yawnt i just added uid
10:33 aldaris that's default scope and it's an oauth2 setting
10:33 aldaris I'm talking about saml2
10:34 yawnt uhm, nothing, i just went on with all the default parameters
10:34 aldaris so persistent
10:34 yawnt (btw i removed uid from the oauth2 client, now we're back at the invalid scope)
10:34 yawnt oh, it's dev environment
10:34 aldaris did you do a SAML flow with amadmin logged in instead of demo?
10:34 yawnt not supposed to be persistent
10:34 yawnt nope, private session in the browser
10:35 yawnt no cookies, nothing
10:35 yawnt i apologize, first time in my life i ever touch this
10:35 yawnt so it's all pretty new :/
10:38 asyd joined #openam
10:38 aldaris no worries
10:38 aldaris so changing the default_scope shouldn't really matter from saml point of view
10:39 aldaris try setting default scope to uid
10:39 aldaris that should resolve the invalid_scope error
10:39 yawnt well, it does in the sense that it throws the No local user being mapped
10:39 aldaris but it really shouldn't, that doesn't make any sense
10:41 yawnt actually
10:41 yawnt wait
10:41 yawnt mm
10:41 yawnt it gives me an internal server error
10:42 yawnt but it doesn't look like that is the issue
10:42 yawnt because that's old logs
10:43 yawnt com.iplanet.services.naming.URLNotFoundException: Invalid service host name. http://openam-dsp:8081/openam/sessionservice
10:46 yawnt yup
10:46 yawnt that's the error
11:09 MegaMatt joined #openam
12:11 mckeanbs joined #openam
12:33 mckeanbs joined #openam
13:00 aldaris joined #openam
13:56 yawnt ugh
13:56 yawnt nothing
13:56 yawnt still the same error
13:56 yawnt i can't figure out why
13:56 aldaris not sure how you got there
13:56 aldaris that error message is not the most friendly really
13:56 yawnt no, i'm talking about the no scope error
13:56 yawnt i'm even using 2 machines now
13:56 yawnt step-by-step following the tutorial
13:56 yawnt there's no suppor without subscription i presume?
13:57 aldaris you still have IRC and mailing list and forums
13:57 yawnt where's the mailing list?
13:57 aldaris https://lists.forgerock.or​g/mailman/listinfo/openam
14:02 yawnt sent an email
14:02 yawnt thanks :)
14:02 yawnt i wonder why this is, i'm literally not doing anything except what they're telling me in the docs
14:02 yawnt SAML2.0 standalone federation worked just fine
14:03 aldaris you'll need to set that default scopes setting
14:03 aldaris can you point at the doc you were reading?
14:04 yawnt sure
14:04 yawnt http://openam.forgerock.org/doc/boots​trap/admin-guide/#oauth2-sp-and-authz
14:05 yawnt i'm really just doing: 1) using common task, create hosted id provider on machine 1 and hosted service provider on machine 2
14:05 yawnt set the parameters they tell in the doc
14:06 yawnt exchange metadata between machine 1 and 2, so that i have a remote sp on machine 1 and a remote id provider on machine 2
14:06 yawnt follow the rest of the guide
14:06 yawnt :|
14:09 aldaris https://bugster.forgerock.o​rg/jira/browse/OPENAM-6965 there you go
14:10 yawnt cool! thank you very much
14:10 yawnt i'll track the issue and see what's up
14:11 yawnt :D
14:12 yawnt i wonder however
14:12 yawnt how comes that if i set default scope uid
14:13 yawnt it gives me that error about locating user
14:13 aldaris not that session error?
14:13 yawnt an oauth2 client has scopes
14:13 yawnt and default scopes
14:13 yawnt i'm assuming i need to add something to default scopes?
14:14 aldaris yes
14:14 yawnt so i tried adding `uid`
14:14 yawnt and it gives me "Internal Server Error"
14:14 yawnt but the logs do not show anything new
14:14 yawnt i thought it was the error about locating the user
14:14 aldaris which version are you testing?
14:14 yawnt but that was the old one
14:14 yawnt latest
14:14 yawnt OpenAM 13.0.0-SNAPSHOT Build ${svn-revision.revision} (2015-September-28 03:07)
14:14 aldaris oh nightly
14:15 aldaris well
14:15 aldaris then you are running into a bug I guess
14:15 yawnt most likely
14:15 yawnt maybe i should try with 12 as well
14:16 aldaris 12 has different bugs..
14:16 yawnt oh wait, i remember why i didn't use 12
14:16 yawnt because i couldn't find any link to download it
14:16 yawnt "D
14:16 yawnt D:
14:16 aldaris backstage.forgerock.com
14:16 aldaris you need to log in for that I guess
14:17 yawnt ah
14:17 yawnt i don't have a subscription
14:17 yawnt :(
14:17 aldaris log in != have a subscription
14:17 aldaris register on sso.forgerock.org
14:18 yawnt yeah done
14:18 yawnt sorry :P
14:18 yawnt i wonder if docker has to do with it
14:19 yawnt why it doesn't work, i mean
14:19 yawnt (i'm running everything inside docker)
14:19 aldaris hmm
14:19 aldaris and one AM can access the other?
14:20 yawnt yes, i'm exposing the ports to the outside
14:32 aldaris well I'm getting invalid assertion error atm
14:33 yawnt did you check the assertion signed in your service provider/
14:34 aldaris not quite, no
14:36 yawnt yep, you need that
14:36 yawnt there's a checkbox you need tot ick
14:36 yawnt *tick
14:40 aldaris {"error":"invalid_scope","error_description":"No scope requested and no default scope configured"}
14:41 yawnt yup
14:41 yawnt that's it
14:41 aldaris {"error":"server_error","er​ror_description":"Internal Server Error"}
14:41 yawnt again, that's it
14:41 yawnt but i see nothing in the logs
14:42 aldaris "Map key scope already exists"
14:42 yawnt wait, i never got that
14:42 aldaris debugger says that :)
14:42 yawnt where's the debugger >_>
14:44 aldaris I've just attached to it
14:44 aldaris Saml2GrantTypeHandler has a bug it looks like
14:45 yawnt i wonder why they force me to use SAML and OAuth
14:45 yawnt i'd be perfectly happy with OAuth alone
14:46 yawnt (i need to secure a REST API, and people need to login into SAML)
14:46 yawnt it's going to be a joy to figure out how to write an agent for nginx
14:46 yawnt :D
14:53 aldaris https://bugster.forgerock.o​rg/jira/browse/OPENAM-6967
14:53 aldaris there is already a community agent for nginx
14:54 yawnt yeah but it looked abandoned
14:54 yawnt i'll give it a spin, see if it plays nice
14:54 yawnt btw thanks a lot for those finds
14:54 aldaris it gets updated a few times a year
15:17 yawnt cool
15:17 yawnt i'll definitely check it out then
15:17 yawnt switching haproxy for nginx should be a piece of cake
15:17 yawnt again, thank you for looking into it
15:17 yawnt i'll eagerly check the issue :D
16:17 aldaris joined #openam
17:14 aldaris joined #openam
17:59 aldaris joined #openam
18:43 aldaris joined #openam
18:44 kala_ joined #openam
18:51 aldaris joined #openam
19:08 aldaris joined #openam
19:44 aldaris joined #openam
23:09 balo joined #openam
23:36 MegaMatt joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary