Subscribe for automatic updates: RSS icon RSS

Login icon Sign in for full access | Help icon Help
Advanced search

Pages: [1]
  Reply  |  Print  
Author Topic: IDP username passthrough  (Read 12222 times)
Jos? V.
Posts: 58


« on: September 05, 2022, 03:26:26 pm »

I'm implementing SSO using GIP's IDP and i've managed to sucessfully authorize users configured in ConsoleApp into a GAS app via delegate(OpenID)

However i cannot get the username authorized on the launched app.
I've read in the manual that it was supposed to be set in the environment variable OIDC_user_name ( https://4js.com/online_documentation/fjs-gas-manual-html/#gas-topics/c_gas_sso_db_connection.html ).

But the only environment variable I get is OIDC_SUB which has the user's ID on IDP's BD.

I've also tried getting the username from the userinfo endpoint: http://machine:port/ws/r/admin/GeneroProfileService/userinfo/v1/mgr
But it doesn't show the user's username.

Can I get this information? or am I doing something wrong?

I'm using FGL 3.20.11 and GAS 3.20.13.
Frank G.
Four Js
Posts: 48


« Reply #1 on: September 05, 2022, 05:49:42 pm »

To get the OIDC_USER_NAME in your starting app, you must enter it the first time in the consoleApp by setting the profile settings. Go to ConsoleApp->Users->Update Me->Profile and fill the data. Next time you connect with that user, you should have it.

Frank
Jos? V.
Posts: 58


« Reply #2 on: September 06, 2022, 11:45:57 am »

I had tried that before and retried again but still got no OIDC_USER_NAME on my starting app environment.
I checked that the profile was sucessfully created on ConsoleApp:

But i only get OIDC_SUB = 2, OIDC_USER_NAME(or other user related OIDC vars) is not set.
NOTE: I also added all permissions and scopes to the user just to make sure this isn't a permission problem.

Even when directly calling the userinfo endpoint i get no username:
Quote
{
        "id": 2,
        "user_id": 2,
        "given_name": "Jose",
        "family_name": "Virtuoso",
        "middle_name": "Carlos",
        "nickname": "jose_virt",
        "email": "jose.virtuoso@audaxys.com"
    }


*  (8.49 KB, 335x184 - viewed 2291 times.)
Frank G.
Four Js
Posts: 48


« Reply #3 on: September 06, 2022, 12:32:23 pm »

Do you get OIDC_GIVEN_NAME ? or OIDC_MIDDLE_NAME ? I don't see a user_name in the json you have sent. Genero converts the different profile entry to OIDC_xxx where xxx is one of the json member.

Frank
Jos? V.
Posts: 58


« Reply #4 on: September 06, 2022, 01:03:14 pm »

No, I get none of those. Maybe a version issue? (i'm using FGL 3.20.11)

I only get these:
Quote
OIDC_SCOPES=Role.Admin,Role.Supervisor,Role.User
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_ACCESS_TOKEN=eyJhbGciO......
OIDC_IDP_ISSUER=http://xxx:6394/ws/r/services/GeneroIdentityProvider
OIDC_IDP_TOKEN_ENDPOINT=http://xxx:6394/ws/r/services/GeneroIdentityProvider/token/v1
OIDC_REFRESH_TOKEN=68792A02-FB86-4689-9D9D-41483915B4CA
OIDC_USERINFO_ENDPOINT=http://xxx:6394/ws/r/admin/GeneroProfileService/userinfo/v1/me
OIDC_SUB=3
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_USERINFO_ENDPOINT=http://xxx:6394/ws/r/admin/GeneroProfileService/userinfo/v1/me
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_SCOPES=Role.Admin,Role.Supervisor,Role.User
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_IDP_ISSUER=http://xxx:6394/ws/r/services/GeneroIdentityProvider
OIDC_ACCESS_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkFJOTByM.....
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_TOKEN_EXPIRES_IN=3600
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_IDP_TOKEN_ENDPOINT=http://xxx:6394/ws/r/services/GeneroIdentityProvider/token/v1
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_REFRESH_TOKEN=68792A02-FB86-4689-9D9D-41483915B4CA
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_SUB=3
OIDC_TOKEN_EXPIRES_IN=3600

Frank G.
Four Js
Posts: 48


« Reply #5 on: September 06, 2022, 02:36:23 pm »

Check in the profile service logs. You probably don't have access to the profile service. AccessService.log to check if the user has the right access token and in ProfileService.log to see if the request to get the user profile is fulfilled or not.
Jos? V.
Posts: 58


« Reply #6 on: September 07, 2022, 12:39:42 pm »

I've rechecked and followed those logs as advised and found out the RetrieveUserInfo request was being denied with 403 due to lack of scopes.
Analysing the token provided I got to the conclusion that the problem was in lack of scopes for the starting app register on ConsoleApp.
After fixing that I got the following set variables:
Quote
OIDC_ID=3.0
OIDC_FAMILY_NAME=Trindade
OIDC_SUB=3
OIDC_GIVEN_NAME=Luis
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_USER_ID=3.0
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_GIVEN_NAME=Luis
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_EMAIL=lt@audaxys.com
FGL_WEBSERVER_HTTP_X_FOURJS_ENVIRONMENT_OIDC_ID=3.0
OIDC_EMAIL=lt@audaxys.com

in accordance to the JSON response:
Quote
[
    {
        "id": 3,
        "user_id": 3,
        "given_name": "Luis",
        "family_name": "Trindade",
        "email": "lt@audaxys.com"
    }
]

So I still not get the username which should be on OIDC_USER_NAME
Sisavanh S.
Four Js
Posts: 80


« Reply #7 on: September 07, 2022, 02:47:43 pm »

Hi,

May I ask you to open a case at your local support center ?
That will be better for the follow up and debugging.

Thanks in advance.
Best regards,
Sisa.
Jos? V.
Posts: 58


« Reply #8 on: September 07, 2022, 03:14:26 pm »

I've opened a case on support center.
Thanks for the help.
I'll post the outcome here when we get to a conclusion
Jos? V.
Posts: 58


« Reply #9 on: September 16, 2022, 03:24:22 pm »

So as a follow up to the case opened on the support center we got to the conclusion that IDP 3.2 does not set OIDC_USERNAME as the profile service does not return this information.
The manual's example seems to refer to a different IDP.

As an alternative it was suggested that we used custom user properties that are available on GIP 4.0.1 but this was not possible due to our clients still using 3.2.
More information on the custom properties here:
https://4js.com/online_documentation/fjs-gas-manual-html/#gas-topics/t_gip_consoleapp_manage_user_custom_properties.html

Finally we decided on developing a standalone tool to query the IDP database using OIDC_SUB and returning OIDC_USERNAME.
Pages: [1]
  Reply  |  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines