• State Not Answered
  • Replies 0 replies
  • Subscribers 95 subscribers
  • Views 28 views
  • Users 0 members are here
Options
Related

Problem setting up OAuth 2.0/OpenID Connect authentication

peter eidenson
12 hours ago

Hi, I have some problem when setting up Oauth / OpenID authentication. The IDP is a ADFS on-prem server.

I get this error in the log files on the Web server.

---> VI.Base.ViException: Invalid token
at VI.DB.Auth.AuthToken.Validate(X509Certificate2 certificate)
at QBM.CompositionApi.PlugIns.OAuthRedirectPlugin.DecryptOAuthState(ICertificateProvider certProvider, String state)
at QBM.CompositionApi.PlugIns.OAuthRedirectPlugin.OAuthRewriter.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at QBM.CompositionApi.PlugIns.CulturePlugIn.<>c__DisplayClass3_0.<<Start>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at QBM.CompositionApi.Socket.SocketMiddleware.<Invoke>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at QBM.CompositionApi.PlugIns.OwinRequestScopePlugin.<>c__DisplayClass0_0.<<Start>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at QBM.CompositionApi.PlugIns.ServiceUnavailablePlugIn.<>c__DisplayClass2_0.<<Start>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.<RunApp>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.<DoFinalWork>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar)
at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--- End of inner exception stack trace ---

Seems like it expect a certificate. But where should this cert exists. I have SSL on the web server but must I also have a separate cert somewhere else on the web server or on the ADFS server. 

In the 9.2 documentation they talk about a cert but its a little bit unclear how this should be implemented:

Identity Manager 9.2 - Authorization and Authentication Guide

The web application (or client application) requests the authorization code at the authorization endpoint. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.

In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:

  1. Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)

    1. Certificate text (QBMIdentityClient.CertificateText).

    2. Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).

    3. Certificate endpoint (QBMIdentityClient.CertificateEndpoint).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

  2. Configuration of the identity provider (QBMIdentityProvider table)

    1. Certificate text ((QBMIdentityProvider.CertificateText).

    2. Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).

    3. Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).

      In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.

    4. JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).

Could anyone shed some light on this. Any thoughts? Thanks in advance!