[MGNLSSO-57] Google OpenId authentication does not work Created: 25/May/21  Updated: 03/Aug/22

Status: Open
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Edwin Guilbert Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: 0d
Time Spent: 0.25d
Original Estimate: Not Specified
Environment:

Magnolia 6.2.8 & magnolia-sso 1.1


Attachments: PNG File Screenshot 2021-05-24 at 15.31.51.png    
Issue Links:
dependency
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO support for custom IdPs
Team: AdminX

 Description   

Trying to configure Google's Open ID authentication does not seem to work.

I provided the following config: (using a working google project with redirect URI properly registered)

authenticationService:
  path: /.magnolia/admincentral 
  callbackUrl: http://localhost:8080/.auth 
  groupMappings: 
    /publishers:
      roles:
        - superuser
  pac4j: 
    oidc.id: xxxx.apps.googleusercontent.com
    oidc.secret: yyyyy
    oidc.scope: openid email 
    oidc.discoveryUri: https://accounts.google.com/.well-known/openid-configuration
    oidc.preferredJwsAlgorithm: RS256 

and got the following exception in the browser after login in Google and being properly redirected to Magnolia according to the openid flow:

org.pac4j.core.exception.TechnicalException: State cannot be determined
	org.pac4j.oidc.credentials.extractor.OidcExtractor.lambda$extract$0(OidcExtractor.java:100)
	java.util.Optional.orElseThrow(Optional.java:290)
	org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:100)
	org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:66)
	org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:143)
	org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:85)
	info.magnolia.sso.SsoCallbackServlet.doGet(SsoCallbackServlet.java:57)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	info.magnolia.cms.filters.ServletDispatchingFilter.doFilter(ServletDispatchingFilter.java:148)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.virtualuri.VirtualUriFilter.doFilter(VirtualUriFilter.java:98)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.module.cache.executor.Bypass.processCacheRequest(Bypass.java:58)
	info.magnolia.module.cache.executor.CompositeExecutor.processCacheRequest(CompositeExecutor.java:66)
	info.magnolia.module.cache.filter.CacheFilter.doFilter(CacheFilter.java:164)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.i18n.I18nContentSupportFilter.doFilter(I18nContentSupportFilter.java:85)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.RangeSupportFilter.doFilter(RangeSupportFilter.java:78)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.security.BaseSecurityFilter.doFilter(BaseSecurityFilter.java:57)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.multisite.filters.CrossSiteSecurityFilter.doFilter(CrossSiteSecurityFilter.java:104)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.cms.security.SecurityCallbackFilter.doFilter(SecurityCallbackFilter.java:84)
	info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.security.LogoutFilter.doFilter(LogoutFilter.java:94)
	info.magnolia.sso.SsoLogoutFilter.doFilter(SsoLogoutFilter.java:51)
	info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.module.site.filters.SiteMergeFilter.doFilter(SiteMergeFilter.java:119)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.multisite.filters.MultiSiteFilter.doFilter(MultiSiteFilter.java:120)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MultiChannelFilter.doFilter(MultiChannelFilter.java:83)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.sitemesh.webapp.MagnoliaSiteMeshFilter.bufferAndPostProcess(MagnoliaSiteMeshFilter.java:95)
	org.sitemesh.webapp.contentfilter.ContentBufferingFilter.doFilter(ContentBufferingFilter.java:126)
	org.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:120)
	org.sitemesh.config.ConfigurableSiteMeshFilter.doFilter(ConfigurableSiteMeshFilter.java:163)
	info.magnolia.sitemesh.config.MagnoliaConfigurableSiteMeshFilter.doFilter(MagnoliaConfigurableSiteMeshFilter.java:92)
	info.magnolia.cms.filters.FilterDecorator.doFilter(FilterDecorator.java:90)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.module.cache.filter.GZipFilter.doFilter(GZipFilter.java:74)
	info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.sso.SsoLoginFilter.lambda$doFilter$0(SsoLoginFilter.java:81)
	org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:167)
	info.magnolia.sso.SsoLoginFilter.doFilter(SsoLoginFilter.java:79)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.enterprise.registration.RegistrationFilter.doFilter(RegistrationFilter.java:79)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
	info.magnolia.cms.filters.MultipartRequestFilter.doFilter(MultipartRequestFilter.java:151)
	info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.personalization.preview.filter.PreviewFilter.doFilter(PreviewFilter.java:92)
	info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:59)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.personalization.trait.AbstractTraitDetectorFilter.doFilter(AbstractTraitDetectorFilter.java:80)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.personalization.trait.AbstractTraitDetectorFilter.doFilter(AbstractTraitDetectorFilter.java:80)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.personalization.trait.AbstractTraitDetectorFilter.doFilter(AbstractTraitDetectorFilter.java:80)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.personalization.trait.AbstractTraitDetectorFilter.doFilter(AbstractTraitDetectorFilter.java:80)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:155)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:128)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
	info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:65)
	info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
	info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:107)
	info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:67)
	info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:110)
	info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:96)

In the logs I only got:

2021-05-24 15:31:21,787 WARN  c4j.core.client.finder.DefaultSecurityClientFinder: Migration required: use the 'force_client' parameter instead of the 'client_name' parameter to force a client for security. URL: http://localhost:8080/.auth?client_name=OidcClient&state=fad0d5203d&code=4%2F0AY0e-g5A-m0tKSFzgFGyAwn00YFIExRGExC55PtN7zkexcKtboN3aMa44MWpCdjXw5Qulg&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent
24-May-2021 15:35:34.522 INFO [Catalina-utility-1] org.atmosphere.util.ForkJoinPool.<init> Using ForkJoinPool  java.util.concurrent.ForkJoinPool. Set the org.atmosphere.cpr.broadcaster.maxAsyncWriteThreads to -1 to fully use its power.

 



 Comments   
Comment by Maxime Michel [ 26/May/21 ]

Two issues:

  • Google requires a manual verification before the app can request the 'groups' scope: painful but might be worth doing to validate the production use case
  • there is no user id in Google, which leads to a NPE: automatically resolve it from the email
Comment by Maxime Michel [ 27/May/21 ]

This is still an issue but I will not work on it right now after discussing with slutz. Yesterday I was able to make it work with the following changes: https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/browse?at=refs%2Fheads%2Fgoogle-poc

Generated at Mon Feb 12 10:50:42 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.