When using passthrough users and passthrough scopes, refresh token grant fails if API does not allow password grant #127
Comments
DonMartin76
added a commit
to apim-haufe-io/wicked.kong-adapter
that referenced
this issue
Oct 12, 2018
DonMartin76
added a commit
to apim-haufe-io/wicked.auth
that referenced
this issue
Oct 12, 2018
|
Fixed in 1.0.0.beta11. |
maksimlikharev
pushed a commit
to clarivate/wicked.kong-adapter
that referenced
this issue
Apr 15, 2019
* Work in progress - support all flows for portal-api
* Major cleanup - take out user consumers (a never published feature), take out oauth2 functionality completely (moved to kong-oauth2)
* Take out commented code
* Change to ISO date, adapt to node 8, add lock file.
* WIP - reference wicked-sdk from lopcal directories - this has to be changed back again
* Assume Kong 0.11.2 as of wicked 0.12.5.
* Bump to version 0.12.5
* Updated dependencies
* Set installing wicked-sdk straight
* Launch configuration for vs code
* Refcatorings:
- Remove 'var' in the entire code base
- Use logging component from portal-env
- Updated dependencies
* Updated dependencies
* Updated dependencies
* Adaption to breaking API change (items instead of direct array)
* Updated dependencies
* Updated dependencies
* Update to Kong 0.13.1
* Preserve calling host for swagger-ui API
* Updated dependencies
* Updated dependencies
* Updated dependencies
* Updated dependencies
* Upgrade to kong 14
* Migrate to using TypeScript to enable type hinting
* Take out the stupid "app" reference which was everywhere.
- No idea why I did it that way back then.
* Clean up commented code
* Minor incompatibility between legacy and wicked SDK implementation.
* Add wicked groups as additional scopes to each API.
* Extract and name all Kong actions
* Migrate to 0.13+ API of Kong, using routes and services
* Patching and deleting plugins must be done on /plugins for services
* Full typing of Kong Adapter code - allows refactoring now
- Bugfix: Getting by username does not work with query parameters -> returned entire list
* Don't use .total anymore, not always present
* Remove "total" property - not used anymore
* Add Prometheus global plugin always
* hide credentials flag propagation
* Patching an API plugin fixed (did not patch)
- Some better logging output ("Updating consumers" only when it actually happens)
* Propagate hide credentials flag
* Hide credentials flag
* Rework consumer syncing; now works like all other entities
- Portal and Kong consumers are retrieved individually
- And synced subsequently
* Update package-lock
* Use internal portal URL for swagger UI forwarding
* Make communication with Kong more robust ("make Kong behave")
* Also use redis for response-ratelimiting kong plugin
* Updated dependencies
* Updated dependencies
* Dockerfile contained the wrong port
* Updated dependencies
* Updated dependencies
* Experimental support for bundling APIs (common use of tokens).
* Kong expects CORS methods to be string array
* Ouch
* Resync APIs every five minutes to check for updated scopes
* Updated dependencies
* Update to Kong 0.14.1
* Updated dependencies
* Try to fix premature Kong Adapter exit
* Don't answer 500 if Kong or wicked are not available
- This would just trigger e.g. Kubernetes to restart the Kong Adapter
- This is usually not necessary; the thing will restart itself after a while
* Support refresh_token_ttl in kong oauth2 plugin config (#10)
* Redo refresh_token_ttl changes (were not working as intended)
* Fix error logging; fix tsc compiler error (@types/node version)
* Updated dependencies
* Part II of fix Haufe-Lexware/wicked.haufe.io#127
* Updated dependencies
* Fixes Haufe-Lexware/wicked.haufe.io#140
* Fixes Haufe-Lexware/wicked.haufe.io#148 - apply redis also to Plan rate limiting
* Removed package-lock.jso
* Renaming of images (drop portal-)
* Corrected reverse build trigger
* Wrong base image for actual image, corrected.
* Enable building local docker images
* Fixes Haufe-Lexware/wicked.haufe.io#147
* Additional fixes for Haufe-Lexware/wicked.haufe.io#147
* Ignore build_date file
* Also ignore git_* files
* Bump to version 1.0.0-rc.1
* Remove versioning from portal-env.tgz
* Turn off caching when building docker image
* Bump to version 1.0.0-rc.2
* Endline
* Support for multiple redirectUris in the Kong Adapter
- Fixes parts of Haufe-Lexware/wicked.haufe.io#178
* Not used file; deleted
* Added link to Haufe-Lexware/wicked.haufe.io#180
* Bump to version 1.0.0-rc.3
* Bump to version 1.0.0-rc.4
* Update morgan to 1.9.1
* Took out typescript dependency (moved to devDeps)
* Update async and request
* Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 15, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 18, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
maksimlikharev
pushed a commit
to clarivate/wicked.auth
that referenced
this issue
Apr 18, 2019
* Refactor out build to separate script * Add a /ping endpoint (for health checks) * Ease up strictness of redirect_uri checking slightly * Use updated redirect_uri function * Kong does not accept null scopes, fix for TypeScript * Stringifying recursive structures is not a good idea * Inject client_secret in special cases (password grant) * Now the client_secret thing should be correct * Refactoring of pool properties to an array * Adaptions to registrations refactoring * Bugfix: Check for trustUsers configuration oauth2 auth methods * Disallow signup/registration and namespace handling * Updated dependencies * If client_id/client_secret aren't passed in, check Basic Auth for id/secret * Updated dependencies * Working SAML identity provider implementation * Remove wicked-types (these are in the wicked sdk); use wicked-sdk as TypeScript * Update all API calls to wicked to use the node SDK instead * Remove some dedicated Callback types; not finished yet * Move OidcProfile to wicked SDK * PassthroughScope resolution via external service * Disallow -> disable * Updated dependencies * Add namespace and registration handling for the password grant. * Use = instead of : for separating keys and values * Add user groups as scopes to access tokens - Also fix refresh_token for passthrough APIs (to enable scope changes). * Fixed broken group mapping for ADFS/OAuth2 * Move to services+routes for Kong * Updated dependencies * Don't use ".total" for routes, it's not returned * For simplified integration testing, allow JSON rendering (with env var) * Corner case fixes; integration testing made easier - Check for invalid sessions * Minor fixes of bugs in error handling - Mostly popped up during writing of integration tests - Some adaptions to the OAuth2 RFC (Response codes) * Answer health check both on /auth/ping and /ping * Take out implicit style and add a class * Ad-hoc localization to german (specify LANGUAGE env var) * Display app name with login screen (and some others) - Prepare using a custom URL for the top logo * Check on build that translations are correct * Add some space between log in and links * Updated dependencies * Updated dependencies * Updated dependencies * Add basic prometheus metrics * Change how authenticated_userid is created (adding namespace and sub=). * Also add namespace to back redirect for authorize endpoint (both flows) * Updated dependencies * Make getting a scope from an external URL more robust (retry logic) * Bugfix (for refresh token); the auth server always creates a user id with sub= * Don't rely in service_id in token data (not available for shared_credentials) - Instead use credential_id, which is always present * Move metrics and ping to after prometheus middleware * Bug fix: Go back to "log in" from "sign up" form didn't work * Use specified password validation strategy (and pluggable regex) * Some CSRF security changes; support for "must change password". * Prepare to force password change on resource owner password grant * Support PKCE for Auth Code Grant and Public clients * Verify length of code_verifier (has to have specific length) * Improved email regex when creating a user * Updated dependencies * Fixes Haufe-Lexware/wicked.haufe.io#124 - Answer to IdP initiated logout request (logout responses) - Enable initiating SSO logout requests * Better error message when sso_logout_url is missing * Part I of fix Haufe-Lexware/wicked.haufe.io#127 * Implemementation Haufe-Lexware/wicked.haufe.io#128 - Auth method type "external" - Large refactorings to partly use async/await; which substantially simplifies the code - wicked node SDK also supports Promises now * Slight fix for non-passthrough user and external IDP - Don't ask IdP for refresh token if the user is federated to wicked, it wouldn't be able to answer anyway. * Allow APIs with passthrough Scopes to use Resource Owner Password Grant * Fixes at least parts of Haufe-Lexware/wicked.haufe.io#135 - By passing in "renderSignup" to setTimeout as a function, "this" was lost * Fixes Haufe-Lexware/wicked.haufe.io#137 * Basic scope restriction logic, Haufe-Lexware/wicked.haufe.io#138 * Fixes Haufe-Lexware/wicked.haufe.io#142 - Check for defaultGroups also on subsequent logins - Remove unused code * Fixes Haufe-Lexware/wicked.haufe.io#143 * Fixes Haufe-Lexware/wicked.haufe.io#131 * Fix a potential IE11 caching problem * Fixes Haufe-Lexware/wicked.haufe.io#130 - More elaborate scope checking with refresh tokens * Removed package-lock.json * Actually output some debug information on the redis connection * Renaming images (drop portal-) * Corrected reverse build trigger * Updated bootstrap to 3.4.0 * Wrong base image for actual image, corrected. * Force authentication with SAML in case prompt=login is supplied * Copy/Paste mistake fixed when instantiating Logger * Check for sso_logout_url on identityProvider, not on serviceProvider (bug) * Registration validation was not working properly * For security reasons, take out refresh token for... - Authorization Code Grant, in combination with - Public clients * Add build information to /ping status for Auth Server * Enable local docker builds of auth server; enable git info in image * Check for more specific type of client - Actual implementation of Haufe-Lexware/wicked.haufe.io#159 * Default to using the defined internal Kong proxy port, if defined - otherwise, fall back to external API host (as before) * Remove unused package ldapjs * Ignore build_date file * Ignore git_* files * Bump to version 1.0.0-rc.1 * Remove versioning from portal-env.tgz * Turn off build caching * Bump to version 1.0.0-rc.2 * Endline * Support multiple redirectUris in the auth server - Fixes parts of Haufe-Lexware/wicked.haufe.io#178 * Issue prompt=none errors as redirects, not as JSON * Support OIDC type userinfo endpoints for profile * Neater layout of login page. According to me. * Support prefilling username for login screen - Add autofocus for login screen; looks nicer * Support forgotten password URLs for external auth method * Text tweaks * Ahem. * Bump to version 1.0.0-rc.3 * Bump to version 1.0.0-rc.4 * Update morgan to 1.9.1 * Add typescript devDependency * Update bootstrap * Update async and request * Fixes Haufe-Lexware/wicked.haufe.io#188 * Fix typescript version for build and dev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preconditions
enable_authorization_codeis set totrue(supports only Authorization Code Grant)refresh_tokengrantWhat happens
refresh_tokengrant call to the/tokenendpoint fails with the following error message:Workaround: Enable the Resource Owner Password Grant on the API; it will not work to use that flow anyway, as the users come from a 3rd party IdP anyway.
The text was updated successfully, but these errors were encountered: