[BUG-12277] OpenID to Microsoft Azure

Has anyone been able to get this working? I am getting further with the latest build, but am still getting an error. I believe my Client ID and secret is correct.

INFO   | jvm 1    | 2019/01/08 09:45:24 | W [g.D.Route                     ] [16:45:24]: Error handling route. route-group=federate, route-path=/callback/:type
INFO   | jvm 1    | 2019/01/08 09:45:24 | com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterManagerException: Unable to parse attributes from the web auth response
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterManagerImpl.parseAttributes(IdpAdapterManagerImpl.java:510)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:144)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:82)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:244)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.dataroutes.DataServlet.service(DataServlet.java:87)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.Server.handle(Server.java:530)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at java.base/java.lang.Thread.run(Unknown Source)
INFO   | jvm 1    | 2019/01/08 09:45:24 | Caused by: com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterException: Unable to parse the WebAuthResponse from the HTTP request
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:97)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterManagerImpl.parseAttributes(IdpAdapterManagerImpl.java:508)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	... 39 common frames omitted
INFO   | jvm 1    | 2019/01/08 09:45:24 | Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to perform authentication
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.web.strategy.oidc.OIDCWebAuthStrategy.parseWebAuthResponse(OIDCWebAuthStrategy.java:100)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.web.strategy.oidc.OIDCWebAuthStrategy.parseWebAuthResponse(OIDCWebAuthStrategy.java:32)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:95)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	... 40 common frames omitted
INFO   | jvm 1    | 2019/01/08 09:45:24 | Caused by: com.inductiveautomation.ignition.gateway.auth.oidc.client.service.OIDCClientServiceException: Unable to get the OIDC token from the auth code: com.inductiveautomation.ignition.gateway.auth.oidc.error.OIDCError@2f397e79[code=invalid_client,description=AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
INFO   | jvm 1    | 2019/01/08 09:45:24 | Trace ID: 73052a24-3e9b-4b77-9564-8ed10e7f2800
INFO   | jvm 1    | 2019/01/08 09:45:24 | Correlation ID: 652a2018-d675-46ed-blah-4b63c962f9a8
INFO   | jvm 1    | 2019/01/08 09:45:24 | Timestamp: 2019-01-08 16:45:24Z,uri=<null>,state=<null>]
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.oidc.client.service.HttpOIDCClientService.getToken(HttpOIDCClientService.java:163)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	at com.inductiveautomation.ignition.gateway.auth.web.strategy.oidc.OIDCWebAuthStrategy.parseWebAuthResponse(OIDCWebAuthStrategy.java:88)
INFO   | jvm 1    | 2019/01/08 09:45:24 | 	... 42 common frames omitted

I have not tried using Microsoft Azure as an OP yet. I’ll play around with it today and post back with more details.

Sounds good, if you want to look at it with a production system, let me know.

Alright, I believe I have identified the root cause. A fix will be on its way shortly.

Hi @Kyle_Chase -

Looks like the fix made it into the latest nightly build. Could you upgrade and let me know if it fixes the issue for you?

I just setup Azure as well and was able to get the IDP config, but now am having issues logging into a Perspective session (Test Login via gateway was successful)

INFO   | jvm 1    | 2019/01/11 14:37:51 | W [g.D.Route                     ] [19:37:51]: Error handling route. route-group=perspective, route-path=/hello/:project_version/:project_name/:tab_id
INFO   | jvm 1    | 2019/01/11 14:37:51 | java.lang.IllegalStateException: Could not find the web session
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at com.inductiveautomation.perspective.gateway.comm.Routes.getOrCreateSession(Routes.java:782)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at com.inductiveautomation.perspective.gateway.comm.Routes$PerspectiveRouteHandlerAdapter.handle(Routes.java:512)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:244)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at com.inductiveautomation.ignition.gateway.dataroutes.DataServlet.service(DataServlet.java:87)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.Server.handle(Server.java:530)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)
INFO   | jvm 1    | 2019/01/11 14:37:51 | 	at java.base/java.lang.Thread.run(Unknown Source)

PS - Could you share what values you used for the User Attribute mapping in the IdP config?

Which browser are you using? Do you get the same exception if you try logging in from a private window?

I did not alter the default user attribute mapping for an OIDC IdP, which is a direct mapping to ‘sub’ for ID and username and no mapping configured for the other attributes.

Here are the steps I took to setup AAD as an OP for Ignition:
How to set up Azure Active Directory as an OpenID Connect Provider for Ignition.pdf (2.7 MB)

It is working all fine for me now. After I got it working, I added the profile and email scopes to get me access to the username and their email. However, I am trying to break off the username into the first and last name attributes. How do expressions work for idP providers?

Let’s say that you have a claim with key “name” on the ID token with value formatted as “First Last” such as “John Doe”.

To map to the first and last name user attributes, you could do something like this:

First name:

split(toString({idp-attributes:name}), " ")[0, 0]

Last name:

split(toString({idp-attributes:name}), " ")[1, 0]

{idp-attributes:X} gives you access to the ID token from an expression and X is a JSON path to the value on the ID token that you wish to access in the expression.

Relevant docs:
https://docs.inductiveautomation.com/display/DOC80/split
https://docs.inductiveautomation.com/display/DOC80/Security+Level+Rules#SecurityLevelRules-SpecialObjectReference

Awesome, thanks!

Moar Chars.