Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenIDC connection does not grant Permissions in Atlas #2391

Open
shorrocka opened this issue Sep 10, 2024 · 1 comment
Open

OpenIDC connection does not grant Permissions in Atlas #2391

shorrocka opened this issue Sep 10, 2024 · 1 comment

Comments

@shorrocka
Copy link

Expected behavior

We have connected Atlas with Auth0 using OpenIDC and can successfully login after passing our credentials thru Auth0 before being redirected to Atlas with our login information appearing. We should then be able to access anything we have been given permission to based on database roles.

Actual behavior

We have no access to anything regardless of the roles in the database, my user is set to have Admin rights but cannot access anything with the system.
user_id | login | role_id | role_name ---------+--------------------+---------+-------------------- 1000 | [email protected] | 1002 | [email protected] 1000 | [email protected] | 1 | public 1000 | [email protected] | 2 | admin 1000 | [email protected] | 10 | Atlas users
Screenshot 2024-09-10 at 1 29 22 PM

Steps to reproduce behavior

We setup security with the following settings:

<security.provider>AtlasRegularSecurity</security.provider>
      <security.auth.openid.enabled>true</security.auth.openid.enabled>
      <security.oid.clientId>[Redacted]</security.oid.clientId>
      <security.oid.apiSecret>[Redacted]</security.oid.apiSecret>
      <security.oid.url>[Redacted]/.well-known/openid-configuration</security.oid.url>
      <security.oid.redirectUrl>[Redacted]/Atlas/#/welcome</security.oid.redirectUrl>
      <security.oid.extraScopes>email</security.oid.extraScopes>
      <security.oauth.callback.api>[Redacted]/WebAPI/user/oauth/callback</security.oauth.callback.api>
      <security.oauth.callback.ui>[Redacted]/Atlas/#/welcome</security.oauth.callback.ui>

We then can see the login information coming from the log with debug set for shiro:

2024-09-10 17:23:08.775 DEBUG http-nio-8080-exec-1 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.834 DEBUG http-nio-8080-exec-5 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.837 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:08.960 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:11.393 DEBUG http-nio-8080-exec-3 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:26.023 DEBUG http-nio-8080-exec-6 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:26.679 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JwtAuthRealm@6697968] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.679 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|[Redacted] | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/[email protected], amr=["mfa"], id_token=[Redacted], iss=https://[Redacted].us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, [email protected]} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |] from doGetAuthenticationInfo
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|66abb1ce64e17c3ebbc4b2a8 | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/[email protected], amr=["mfa"], id_token=[Redacted], iss=https://[Redacted].us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, [email protected]} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |].  Submitted token: [io.buji.pac4j.token.Pac4jToken@29dfedb7].
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.Integer and accountCredentials of type [java.lang.Integer]
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.680 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token io.buji.pac4j.token.Pac4jToken@29dfedb7.  Skipping realm.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [io.buji.pac4j.token.Pac4jToken@29dfedb7].  Returned account [#Pac4jPrincipal# | profiles: [#OidcProfile# | id: auth0|66abb1ce64e17c3ebbc4b2a8 | attributes: {sub=auth0|66abb1ce64e17c3ebbc4b2a8, email_verified=true, https://example.com/[email protected], amr=["mfa"], id_token=[Redacted], iss=https:/[Redacted]us.auth0.com/, nonce=yzlKn5TWVZYbAyCxwikkX3rlwpD0UU9Tp2l6kY2t86k, sid=Tx9t9PNplKSpJ1DHLe6aXSC4ZXD8MM3M, access_token=[Redacted], token_expiration_advance=-1, aud=[64IGDkG32341vCH7lUnzZvTA05IuRHnd], acr=http://schemas.openid.net/pape/policies/2007/06/multi-factor, exp=Wed Sep 11 03:23:26 UTC 2024, iat=Tue Sep 10 17:23:26 UTC 2024, [email protected]} | roles: [] | permissions: [] | isRemembered: false | clientName: OidcClient | linkedId: null |] |]
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.mgt.DefaultSecurityManager - [] - Context already contains a session.  Returning.
2024-09-10 17:23:26.681 DEBUG http-nio-8080-exec-6 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:26 GMT; SameSite=lax]
2024-09-10 17:23:26.682 DEBUG http-nio-8080-exec-6 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:26.742 DEBUG http-nio-8080-exec-7 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:30.982 DEBUG http-nio-8080-exec-10 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.035 DEBUG http-nio-8080-exec-1 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.059 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:31.060 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [[email protected]] from doGetAuthenticationInfo
2024-09-10 17:23:31.060 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [[email protected]].  Submitted token: [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e].
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.String and accountCredentials of type [java.lang.String]
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [io.buji.pac4j.realm.Pac4jRealm@7702a004] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.061 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e.  Skipping realm.
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@2ad36c2e].  Returned account [[email protected]]
2024-09-10 17:23:31.062 DEBUG http-nio-8080-exec-2 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:31 GMT; SameSite=lax]
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthorizingRealm - [] - No authorizationCache instance set.  Checking for a cacheManager...
2024-09-10 17:23:31.063 DEBUG http-nio-8080-exec-2 org.apache.shiro.realm.AuthorizingRealm - [] - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
2024-09-10 17:23:31.334 DEBUG http-nio-8080-exec-5 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:33.634 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.
2024-09-10 17:23:33.638 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthenticatingRealm - [] - Looked up AuthenticationInfo [[email protected]] from doGetAuthenticationInfo
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthenticatingRealm - [] - AuthenticationInfo caching is disabled for info [[email protected]].  Submitted token: [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25].
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Performing credentials equality check for tokenCredentials of type [java.lang.String and accountCredentials of type [java.lang.String]
2024-09-10 17:23:33.639 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.credential.SimpleCredentialsMatcher - [] - Both credentials arguments can be easily converted to byte arrays.  Performing array equals comparison
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [waffle.shiro.negotiate.NegotiateAuthenticationRealm@5054b5fa] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [io.buji.pac4j.realm.Pac4jRealm@7702a004] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.JdbcAuthRealm@4089eb96] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.KerberosAuthRealm@73b6efce] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.LdapRealm@729c6363] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.pam.ModularRealmAuthenticator - [] - Realm [org.ohdsi.webapi.shiro.realms.ADRealm@6900f30d] does not support token org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25.  Skipping realm.
2024-09-10 17:23:33.640 DEBUG http-nio-8080-exec-4 org.apache.shiro.authc.AbstractAuthenticator - [] - Authentication successful for token [org.ohdsi.webapi.shiro.tokens.JwtAuthToken@65273d25].  Returned account [[email protected]]
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.web.servlet.SimpleCookie - [] - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/WebAPI; Max-Age=0; Expires=Mon, 09-Sep-2024 17:23:33 GMT; SameSite=lax]
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.mgt.AbstractRememberMeManager - [] - AuthenticationToken did not indicate RememberMe is requested.  RememberMe functionality will not be executed for corresponding account.
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthorizingRealm - [] - No authorizationCache instance set.  Checking for a cacheManager...
2024-09-10 17:23:33.641 DEBUG http-nio-8080-exec-4 org.apache.shiro.realm.AuthorizingRealm - [] - No cache or cacheManager properties have been set.  Authorization cache cannot be obtained.
2024-09-10 17:23:35.042 DEBUG http-nio-8080-exec-3 org.apache.shiro.web.servlet.OncePerRequestFilter - [] - Filter 'ssl' is not enabled for the current request.  Proceeding without invoking this filter.

Is there something I am missing or is this a bug and we need to route to a different auth mechanism.
Please let me know if there is something else that can be provided to support.
@konstjar
Copy link
Contributor

konstjar commented Nov 5, 2024

Even though you configured the authentication, ATLAS/WebAPI will not grant the role automatically. In order to grant your user with admin permissions, please follow this section in documentation: https://github.com/OHDSI/WebAPI/wiki/Atlas-Security#defining-an-administrator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@konstjar @shorrocka