OIDC extension 1.0.2 manual install issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OIDC extension 1.0.2 manual install issues

David Huebner
Hi folks,

I've been playing around with installing
https://github.com/CSCfi/shibboleth-idp-oidc-extension/releases/tag/v1.0.2 
lately.
The goal is to install on top of an existing Shibboleth IDP 3.4.4 and
I've been following
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-from-archive 
and also double checked the general steps with the ansible playbook.

I think my main issue for now is, that all oidc and oauth2 flows are not
registered on IDP startup at all, which leads to tomcat giving me 404
for the various oidc endpoints.

I've set up a dev environment with vagrant up alongside, which gives me
the following idp-process logs (truncated for readability, there are
more of course):

Registered flow ID 'oauth2/introspection' using 'file
[/opt/shibboleth-idp/flows/oauth2/introspection/introspection-flow.xml]'
[...]
Registered flow ID 'oidc/authorize' using 'file
[/opt/shibboleth-idp/flows/oidc/authorize/authorize-flow.xml]'
[...]

None of those is present in my IDP 3.4.4+manual install environment,
just the normal shibboleth ones.
However, I can see some org.geant log entries, e.g. when parsing
/opt/shibboleth-idp/metadata/oidc-client.json, which at least verifies,
that the jars etc. are picked up correctly.

So... the main difference I can see:
Vagrant up environment: IDP 3.4.0 and more recent version of extension
IDP3.4.4+manual install environment: IDP 3.4.4 and extension 1.0.2

For all I can tell, the config should be similar. Of course all flows
files etc. are present in both environments.
I get no significant warns or errors in either idp log or tomcat log.

Has anyone done a manual install successfully yet and any ideas, what
the issue could be?
Is IDP 3.4.4 vs 3.4.0 breaking things?

Thanks,
David

--
David Hübner, Solutions Engineer

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax:   +49 7071 407109-9
email: [hidden email]
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OIDC extension 1.0.2 manual install issues

Cantor, Scott E.
There are two supported ways to add webflows. Both of them require specific conventions on the directory and file names to end up with the expected flow IDs (flowid/flowid-flow.xml)

The directory structure can either be in $idp.home/flows (or wherever the idp.webflows property points) or can be loaded from a jarfile via /META-INF/net/shibboleth/idp/flows

The jar approach would be the recommended way in most cases since flows aren't generally editable, and avoids the problems with getting extra files installed.

But both of those extension points should work in all recent versions.
 
-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OIDC extension 1.0.2 manual install issues

David Huebner
Yeah, well, your first remark made me think and the issue was due to
file system permissions of the files added by the extension.

Rather obvious now, but sometimes the simple things are the hardest to
spot... ;) Sorry for the noise.

On 05.07.19 16:05, Cantor, Scott wrote:

> There are two supported ways to add webflows. Both of them require specific conventions on the directory and file names to end up with the expected flow IDs (flowid/flowid-flow.xml)
>
> The directory structure can either be in $idp.home/flows (or wherever the idp.webflows property points) or can be loaded from a jarfile via /META-INF/net/shibboleth/idp/flows
>
> The jar approach would be the recommended way in most cases since flows aren't generally editable, and avoids the problems with getting extra files installed.
>
> But both of those extension points should work in all recent versions.
>  
> -- Scott
>
>

--
To unsubscribe from this list send an email to [hidden email]