[midPoint] Questions regarding the Flexible Authentication.

Sébastien MARBRIER smarbrier at positivethinking.tech
Wed Feb 9 16:27:29 CET 2022


Dear community,

I trying to implement the reset password mechanism using the Flexible Authentication in midpoint 4.4.
I am following the documentation in https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/

So, my global security policy contains more or less the same thing than the sample https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml

    <authentication>
        <modules>
            <loginForm id="4">
                <name>internalLoginForm</name>
                <description>Internal username/password authentication, default user password, login form</description>
            </loginForm>
            <mailNonce id="5">
                <name> registrationMail </name>
                <description>Authentication based on mail message with a nonce. Used for user registration.</description>
                <credentialName>mailNonce</credentialName>
            </mailNonce>
        </modules>
        <sequence id="6">
            <name>admin-gui-default</name>
            <description>
                Default GUI authentication sequence.
                We want to try internal.
                Just one of then need to be successful to let user in.
            </description>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                <default>true</default>
                <urlSuffix>default</urlSuffix>
            </channel>
            <module id="8">
                <name>internalLoginForm</name>
                <order>20</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="7">
            <name>userPasswordResetAuth</name>
            <description>Just a nonce mail to validate e-mail address.</description>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#resetPassword</channelId>
                <urlSuffix>resetPassword</urlSuffix>
            </channel>
            <module id="9">
                <name>registrationMail</name>
                <order>10</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
    </authentication>

Since my nonce mail has a specific value policy it is referred in the credentials block as also stated in the documentation:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/experimental/flexible-auth-final.xml
<credentials>
        <nonce>
            <maxAge>P30D</maxAge>
            <name>mailNonce</name>
            <valuePolicyRef oid="oid-for-nonce-valuePolicy" relation="org:default" type="c:ValuePolicyType"></valuePolicyRef>
        </nonce>
...
</credential>

Currently the link generated to reset password has the current format:
http://<base-url>:<port>/midpoint/confirm/reset?11&user=<userId>&token=<tokenvalue<http://%3cbase-url%3e:%3cport%3e/midpoint/confirm/reset?11&user=%3cuserId%3e&token=%3ctokenvalue>>
Since the url suffix is resetPassword, I assume it is normal that the link for already existing using users is no longer valid.
[cid:image001.png at 01D81DC9.21962670]
2022-02-09 15:22:53,064 [MODEL] [http-nio-8080-exec-8] ERROR (com.evolveum.midpoint.web.page.login.PageRegistrationConfirmation): web.security.provider.invalid, reason: web.security.provider.invalid (class org.springframework.security.authentication.BadCredentialsException)

But when I try to update manually the link such as
http://<base-url>:<port>/midpoint/resetPassword?11&user=<userId>&token=<tokenvalue<http://%3cbase-url%3e:%3cport%3e/midpoint/resetPassword?11&user=%3cuserId%3e&token=%3ctokenvalue>>
It ends up with an exception: 2022-02-09 15:26:47,117 [MODEL] [http-nio-8080-exec-7] ERROR (com.evolveum.midpoint.web.security.filter.MidpointAuthFilter): Couldn't find sequence for URI '/midpoint/resetPassword' in authentication of Security Policy with oid <oid-for-global-security-policy>
2022-02-09 11:40:35,727 [MODEL] [http-nio-8080-exec-4] ERROR (com.evolveum.midpoint.web.security.filter.MidpointAuthFilter): Couldn't find sequence for URI '/midpoint/resetPassword' in authentication of Security Policy with oid <oid-for-global-security-policy>
java.lang.IllegalArgumentException: Couldn't find sequence for URI '/midpoint/resetPassword' in authentication of Security Policy with oid <oid-for-global-security-policy>

I also notified that the user activation by rest does not work anymore:
2022-02-09 15:48:52,332 [MODEL] [http-nio-8080-exec-2] ERROR (com.evolveum.midpoint.web.security.filter.MidpointAuthFilter): Couldn't find sequence for URI '/midpoint/ws/rest/users/search' in authentication of Security Policy with oid u75-global-security-policy

So I added the following the global security policy but I am not sure it would be relevant for my case:
        <sequence id="11">
            <name>rest</name>
            <description>
                Authentication sequence for REST service.
            </description>
            <channel>
                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
                <default>true</default>
                <urlSuffix>rest-default</urlSuffix>
            </channel>
            <module id="12">
                <name>internalBasic</name>
                <order>10</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>

After using it I receive the following exception :2022-02-09 16:22:27,926 [MODEL] [http-nio-8080-exec-1] ERROR (com.evolveum.midpoint.web.security.filter.TranslateExceptionFilter): Couldn't find filters for sequence rest

I see nothing changed in the documentation: https://docs.evolveum.com/midpoint/reference/interfaces/rest/

Thank you very much for your help.


[logo]<https://www.positivethinking.tech/>

Sébastien Marbrier  | Senior IT Consultant
smarbrier at positivethinking.tech<mailto:smarbrier at positivethinking.tech>

Tel. +41 21 601 81 00<tel:+41%2021%20601%2081%2000>

[Teams chat]<https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>
 <https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>
Chat with me on Teams<https://teams.microsoft.com/l/chat/0/0?users=smarbrier@positivethinking.tech>



[LinkedIn]<https://www.linkedin.com/company/the-positive-thinking-company/>  [Instagram] <https://www.instagram.com/positivethinkingcompany/>   [Vimeo] <https://twitter.com/PTC_Tech>   [Vimeo] <https://youtube.com/channel/UCfaImWa6r0IoZoUYLhbiF7w>
Avenue de cour, 135 - 1007 Lausanne
www.positivethinking.tech<https://www.positivethinking.tech/>

________________________________
Help save paper, do you really need to print this email?
The content of this email and any attachments are confidential and are intended solely for the person and/or company to whom they are addressed. The information may also be legally privileged. No employee or agent is authorized to conclude any binding agreement on behalf of Positive Thinking Company with another party by email without express written confirmation. If you have received this email in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by return E-mail and delete this message, its attachments and all copies from your system. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Thank you for your cooperation.





________________________________
Positive Thinking Company puts security at a high priority in its conduct of business. Therefore, we have put our best efforts into ensuring that this email and its attached documents are error and virus-free. Nonetheless, full security of emails/documents cannot be ensured. Therefore, the recipient is responsible for checking the email/documents for threats with its own security measures, prior to opening it. Positive Thinking Company does not accept liability for any damage inflicted by using the content of this email/documents. If you are not the intended recipient, please notify the sender and delete this email/document.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 24352 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 7735 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 686 bytes
Desc: image003.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 2337 bytes
Desc: image004.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2756 bytes
Desc: image005.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 2358 bytes
Desc: image006.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 2669 bytes
Desc: image007.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220209/53f55fcd/attachment-0013.png>


More information about the midPoint mailing list