OAuth support

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

OAuth support

t.r.stickland@sanger.ac.uk
I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support

nathandunn

Tim, 

I updated the doc a little bit:  <a href="https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=Remote User Authentication#other-authentication-strategies" class="">https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=Remote%20User%20Authentication#other-authentication-strategies

Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

t.r.stickland@sanger.ac.uk
Thanks, those links are helpful.   The apache proxy/remote user authentication is probably the best place to start -- especially as I've been meaning to add an apache proxy anyway, as I know it's only a matter of time before I need rewrite rules, or have to serve static content, etc.

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

t.r.stickland@sanger.ac.uk
In reply to this post by nathandunn
Nathan

I added an apache proxy, and then set up OIDC authentication using mod_auth_openidc, which was all tolerably straightforward -- but I can't get the Apollo remote user authentication working.

Unless I misread the galaxy documentation you referred me to,  the apache authentication should set a REMOTE_USER environment variable that contains the user's credentials.  I'm not quite clear what these are, but I think it should contain at least their openid, and  (if I configured the OIDC module correctly) their email address and some profile information should be present too?   Anyway, I get that this information has to be put into an HTTP header by the proxy so it is available to Apollo.

I think I have managed to do that correctly, but I can't really debug it as I'm not sure what the expected content of the header is.

I have added the apollo-config.groovy settings recommended in the documentation, except with Remote User Authentication active, i.e.

        [    "name":"Remote User Authenticator",
             "className":"remoteUserAuthenticatorService",
             "active":true,
        ]

I take it that the remoteUserAuthenticatorService expects a REMOTE_USER header?

I can't find any references than mention configuring this, an it seems too optimistic to hope it will Just Work -- at leats, I take my hat off to you if it does :)  Since the REMOTE_USER content could derive from a variety of apache modules,  and how it is presented in the HTTP header also seems to be variable, especially as the recommendations in the galaxy documentation suggest rewriting the environment variable.

Can you point me at any documentation that I've missed, or let me know what header(s) remoteUserAuthenticatorService expects, and what the contents should be?

Thanks again

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

nathandunn

Tim, 

I think you add it explicitly in the apache config e.g., :


but I’ll see if I can’t bug the original authors to see if they have further insight.

Cheers,

Nathan


On Sep 17, 2019, at 9:42 AM, Tim Stickland <[hidden email]> wrote:

Nathan

I added an apache proxy, and then set up OIDC authentication using mod_auth_openidc, which was all tolerably straightforward -- but I can't get the Apollo remote user authentication working.

Unless I misread the galaxy documentation you referred me to,  the apache authentication should set a REMOTE_USER environment variable that contains the user's credentials.  I'm not quite clear what these are, but I think it should contain at least their openid, and  (if I configured the OIDC module correctly) their email address and some profile information should be present too?   Anyway, I get that this information has to be put into an HTTP header by the proxy so it is available to Apollo.

I think I have managed to do that correctly, but I can't really debug it as I'm not sure what the expected content of the header is.

I have added the apollo-config.groovy settings recommended in the documentation, except with Remote User Authentication active, i.e.

        [    "name":"Remote User Authenticator",
             "className":"remoteUserAuthenticatorService",
             "active":true,
        ]

I take it that the remoteUserAuthenticatorService expects a REMOTE_USER header?

I can't find any references than mention configuring this, an it seems too optimistic to hope it will Just Work -- at leats, I take my hat off to you if it does :)  Since the REMOTE_USER content could derive from a variety of apache modules,  and how it is presented in the HTTP header also seems to be variable, especially as the recommendations in the galaxy documentation suggest rewriting the environment variable.

Can you point me at any documentation that I've missed, or let me know what header(s) remoteUserAuthenticatorService expects, and what the contents should be?

Thanks again

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

nathandunn


From one of our other users (thanks Cory):

We use a "RequestHeader set X-Remote-User %{REMOTE_USER}s" method to add the REMOTE USER header to our galaxy log in, and then the galaxy credentials are passed through https://github.com/erasche/gx-cookie-proxy that adds the expected header for Apollo. I think this ends up being the same header for our remote galaxy authentication but also adds the header for the galaxy managed users. 

I'm not sure if Oauth would require anything different, I'm not familiar enough with it.

I’m guessing you are using this:


It looks like it gets set automatically. 

Can you confirm / deny that the REMOTE_USER header is being sent to tomcat? 


Actually, I’m looking at the logging and you should see a lot of output related to logging in a remote user.  Can you share any logging info? 



Your configuration should look like this (so it uses RemoteUser first):

authentications = [
[
"name":"Remote User Authenticator",
"className":"remoteUserAuthenticatorService",
"active: true
],
[
"name":"Username Password Authenticator",
"className":"usernamePasswordAuthenticatorService",
"active": true
]
]

Thanks,

Nathan

On Sep 17, 2019, at 11:33 AM, Nathan Dunn <[hidden email]> wrote:


Tim, 

I think you add it explicitly in the apache config e.g., :


but I’ll see if I can’t bug the original authors to see if they have further insight.

Cheers,

Nathan


On Sep 17, 2019, at 9:42 AM, Tim Stickland <[hidden email]> wrote:

Nathan

I added an apache proxy, and then set up OIDC authentication using mod_auth_openidc, which was all tolerably straightforward -- but I can't get the Apollo remote user authentication working.

Unless I misread the galaxy documentation you referred me to,  the apache authentication should set a REMOTE_USER environment variable that contains the user's credentials.  I'm not quite clear what these are, but I think it should contain at least their openid, and  (if I configured the OIDC module correctly) their email address and some profile information should be present too?   Anyway, I get that this information has to be put into an HTTP header by the proxy so it is available to Apollo.

I think I have managed to do that correctly, but I can't really debug it as I'm not sure what the expected content of the header is.

I have added the apollo-config.groovy settings recommended in the documentation, except with Remote User Authentication active, i.e.

        [    "name":"Remote User Authenticator",
             "className":"remoteUserAuthenticatorService",
             "active":true,
        ]

I take it that the remoteUserAuthenticatorService expects a REMOTE_USER header?

I can't find any references than mention configuring this, an it seems too optimistic to hope it will Just Work -- at leats, I take my hat off to you if it does :)  Since the REMOTE_USER content could derive from a variety of apache modules,  and how it is presented in the HTTP header also seems to be variable, especially as the recommendations in the galaxy documentation suggest rewriting the environment variable.

Can you point me at any documentation that I've missed, or let me know what header(s) remoteUserAuthenticatorService expects, and what the contents should be?

Thanks again

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.


--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

t.r.stickland@sanger.ac.uk
Thanks a lot for this.

You correct that I'm using mod_auth_openidc, and I can see a REMOTE_USER is set in the apache environment (plus various other variables, including the user's name).  For instance:
[hidden email]
OIDC_CLAIM_given_name=Tim
OIDC_CLAIM_iss=https://orcid.org
OIDC_CLAIM_family_name=Stickland
OIDC_CLAIM_id=https://orcid.org/0000-0003-3185-1433
OIDC_CLAIM_sub=0000-0003-3185-1433
plus various token values, timestamps and so on.

As you said, mod_auth_openidc should send a header as well as setting the REMOTE_USER environment variable, but I explicitly set the configuration option ("OIDCPassClaimsAs  both") anyway.      I also tried "RequestHeader  set   X-Remote-User  expr=%{REMOTE_USER}" in the apache proxy configuration.

The behaviour remains as before:  I  have to do an openid log in to get to apollo, but thereafter I get the usual username/password dialog within apollo.

I can't see any relevant output in the logs, except thesde 2 lines for each log in attempt:
2019-09-18 16:18:20,049 [http-nio-8080-exec-4] ERROR apollo.PermissionService  - Username not supplied so can not authenticate.
2019-09-18 16:18:20,172 [http-nio-8080-exec-1] ERROR apollo.PermissionService  - Username not supplied so can not authenticate.
(I think this is expected when an unauthorized user connects?)

 I'm not familiar with tomcat so maybe I'm looking in the wrong place?    The only logs (with content) are 'catalina' and 'localhost', but neither have any output after the usual server startup messages.   Any more tips on where to look, or logging options I can turn on?

I'm a bit stumped at the moment because I can see HTTP requests during the openid authentication process, and the data retrieved in the apache environment, but ATM I can't find a way to check what apollo (i.e. tomcat) is receiving, and I don't know what it requires :-/

tim


On 17/09/2019 20:30, Nathan Dunn wrote:


From one of our other users (thanks Cory):

We use a "RequestHeader set X-Remote-User %{REMOTE_USER}s" method to add the REMOTE USER header to our galaxy log in, and then the galaxy credentials are passed through https://github.com/erasche/gx-cookie-proxy [github.com] that adds the expected header for Apollo. I think this ends up being the same header for our remote galaxy authentication but also adds the header for the galaxy managed users. 

I'm not sure if Oauth would require anything different, I'm not familiar enough with it.

I’m guessing you are using this:


It looks like it gets set automatically. 

Can you confirm / deny that the REMOTE_USER header is being sent to tomcat? 


Actually, I’m looking at the logging and you should see a lot of output related to logging in a remote user.  Can you share any logging info? 



Your configuration should look like this (so it uses RemoteUser first):

authentications = [
    [
        "name":"Remote User Authenticator",
        "className":"remoteUserAuthenticatorService",
        "active: true
    ],
    [
        "name":"Username Password Authenticator",
        "className":"usernamePasswordAuthenticatorService",
        "active": true
    ]
]

Thanks,

Nathan

On Sep 17, 2019, at 11:33 AM, Nathan Dunn <[hidden email]> wrote:


Tim, 

I think you add it explicitly in the apache config e.g., :


but I’ll see if I can’t bug the original authors to see if they have further insight.

Cheers,

Nathan


On Sep 17, 2019, at 9:42 AM, Tim Stickland <[hidden email]> wrote:

Nathan

I added an apache proxy, and then set up OIDC authentication using mod_auth_openidc, which was all tolerably straightforward -- but I can't get the Apollo remote user authentication working.

Unless I misread the galaxy documentation you referred me to,  the apache authentication should set a REMOTE_USER environment variable that contains the user's credentials.  I'm not quite clear what these are, but I think it should contain at least their openid, and  (if I configured the OIDC module correctly) their email address and some profile information should be present too?   Anyway, I get that this information has to be put into an HTTP header by the proxy so it is available to Apollo.

I think I have managed to do that correctly, but I can't really debug it as I'm not sure what the expected content of the header is.

I have added the apollo-config.groovy settings recommended in the documentation, except with Remote User Authentication active, i.e.

        [    "name":"Remote User Authenticator",
             "className":"remoteUserAuthenticatorService",
             "active":true,
        ]

I take it that the remoteUserAuthenticatorService expects a REMOTE_USER header?

I can't find any references than mention configuring this, an it seems too optimistic to hope it will Just Work -- at leats, I take my hat off to you if it does :)  Since the REMOTE_USER content could derive from a variety of apache modules,  and how it is presented in the HTTP header also seems to be variable, especially as the recommendations in the galaxy documentation suggest rewriting the environment variable.

Can you point me at any documentation that I've missed, or let me know what header(s) remoteUserAuthenticatorService expects, and what the contents should be?

Thanks again

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.




-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: OAuth support [EXT]

nathandunn

Tim, 

Everything looks correct AFAICT.   For some reason its not reading the JSON through. 

Two things that would really help me.   

  (`debug grails.app` and debug ‘org.bbop.apollo’) and redo the login attempt. 

2 - If you “select * from grails_user;” what do you see?

Nathan


On Sep 18, 2019, at 8:28 AM, Tim Stickland <[hidden email]> wrote:

Thanks a lot for this.

You correct that I'm using mod_auth_openidc, and I can see a REMOTE_USER is set in the apache environment (plus various other variables, including the user's name).  For instance:
[hidden email]
OIDC_CLAIM_given_name=Tim
OIDC_CLAIM_iss=https://orcid.org
OIDC_CLAIM_family_name=Stickland
OIDC_CLAIM_id=https://orcid.org/0000-0003-3185-1433
OIDC_CLAIM_sub=0000-0003-3185-1433
plus various token values, timestamps and so on.

As you said, mod_auth_openidc should send a header as well as setting the REMOTE_USER environment variable, but I explicitly set the configuration option ("OIDCPassClaimsAs  both") anyway.      I also tried "RequestHeader  set   X-Remote-User  expr=%{REMOTE_USER}" in the apache proxy configuration.

The behaviour remains as before:  I  have to do an openid log in to get to apollo, but thereafter I get the usual username/password dialog within apollo.

I can't see any relevant output in the logs, except thesde 2 lines for each log in attempt:
2019-09-18 16:18:20,049 [http-nio-8080-exec-4] ERROR apollo.PermissionService  - Username not supplied so can not authenticate.
2019-09-18 16:18:20,172 [http-nio-8080-exec-1] ERROR apollo.PermissionService  - Username not supplied so can not authenticate.
(I think this is expected when an unauthorized user connects?)

 I'm not familiar with tomcat so maybe I'm looking in the wrong place?    The only logs (with content) are 'catalina' and 'localhost', but neither have any output after the usual server startup messages.   Any more tips on where to look, or logging options I can turn on?

I'm a bit stumped at the moment because I can see HTTP requests during the openid authentication process, and the data retrieved in the apache environment, but ATM I can't find a way to check what apollo (i.e. tomcat) is receiving, and I don't know what it requires :-/

tim


On 17/09/2019 20:30, Nathan Dunn wrote:


From one of our other users (thanks Cory):

We use a "RequestHeader set X-Remote-User %{REMOTE_USER}s" method to add the REMOTE USER header to our galaxy log in, and then the galaxy credentials are passed through https://github.com/erasche/gx-cookie-proxy [github.com] that adds the expected header for Apollo. I think this ends up being the same header for our remote galaxy authentication but also adds the header for the galaxy managed users. 

I'm not sure if Oauth would require anything different, I'm not familiar enough with it.

I’m guessing you are using this:


It looks like it gets set automatically. 

Can you confirm / deny that the REMOTE_USER header is being sent to tomcat? 


Actually, I’m looking at the logging and you should see a lot of output related to logging in a remote user.  Can you share any logging info? 



Your configuration should look like this (so it uses RemoteUser first):

authentications = [
    [
        "name":"Remote User Authenticator",
        "className":"remoteUserAuthenticatorService",
        "active: true
    ],
    [
        "name":"Username Password Authenticator",
        "className":"usernamePasswordAuthenticatorService",
        "active": true
    ]
]

Thanks,

Nathan

On Sep 17, 2019, at 11:33 AM, Nathan Dunn <[hidden email]> wrote:


Tim, 

I think you add it explicitly in the apache config e.g., :


but I’ll see if I can’t bug the original authors to see if they have further insight.

Cheers,

Nathan


On Sep 17, 2019, at 9:42 AM, Tim Stickland <[hidden email]> wrote:

Nathan

I added an apache proxy, and then set up OIDC authentication using mod_auth_openidc, which was all tolerably straightforward -- but I can't get the Apollo remote user authentication working.

Unless I misread the galaxy documentation you referred me to,  the apache authentication should set a REMOTE_USER environment variable that contains the user's credentials.  I'm not quite clear what these are, but I think it should contain at least their openid, and  (if I configured the OIDC module correctly) their email address and some profile information should be present too?   Anyway, I get that this information has to be put into an HTTP header by the proxy so it is available to Apollo.

I think I have managed to do that correctly, but I can't really debug it as I'm not sure what the expected content of the header is.

I have added the apollo-config.groovy settings recommended in the documentation, except with Remote User Authentication active, i.e.

        [    "name":"Remote User Authenticator",
             "className":"remoteUserAuthenticatorService",
             "active":true,
        ]

I take it that the remoteUserAuthenticatorService expects a REMOTE_USER header?

I can't find any references than mention configuring this, an it seems too optimistic to hope it will Just Work -- at leats, I take my hat off to you if it does :)  Since the REMOTE_USER content could derive from a variety of apache modules,  and how it is presented in the HTTP header also seems to be variable, especially as the recommendations in the galaxy documentation suggest rewriting the environment variable.

Can you point me at any documentation that I've missed, or let me know what header(s) remoteUserAuthenticatorService expects, and what the contents should be?

Thanks again

tim



On 09/09/2019 19:28, Nathan Dunn wrote:

Tim, 


Most of the folks that have used OAuth have an Apache proxy and the Remote User Authentication or have used the web services to inject names in directly: https://github.com/GMOD/Apollo/blob/develop/docs/Web_services.md#python-client [github.com]

If you can’t do that, we can maybe meet offline to see how we can put together an OAuth solution that is somewhat generalizable (this has been on my todo-list for awhile - https://github.com/GMOD/Apollo/issues/136 [github.com]).    

Nathan


On Sep 9, 2019, at 9:08 AM, Tim Stickland <[hidden email]> wrote:

I was doing a search of the documentation to see if there was any support for OAuth.

I was momentarily excited to see the "OauthUserAuthentication" option at https://genomearchitect.readthedocs.io/en/1.0.4/Database_setup/ [genomearchitect.readthedocs.io] until I noticed it was for a really old version.

I can find any mention in the current documentation, although I did find the "Other authentication strategies" section (https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=remoteUserAuthenticatorService#other-authentication-strategies [genomearchitect.readthedocs.io]).  That mentions remoteUserAuthenticatorService which I guess is the successor to the RemoteUserAuthentication option in the old version -- but no mention of OAuth.    Also, this section is very short and I can't find any other information about enabling anything other than the built-in username & password authentication.

Am I missing something?  If anyone could point me in the right direction, I would be very grateful!

thanks

Tim

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.




-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].