[midPoint] oidc + infrastructure url problem
Markus Calmius
markus.calmius at proton.ch
Sat May 25 09:33:16 CEST 2024
Hi Martin,
I found out that we had a nginx reverse proxy in front on the same machine. Not sure exactly why that caused the issue, but it was also the solution.
We make sure everything that doesn't start with <host>/midpoint/ is re-written to <host>/midpoint/
doing that everything works fine, and notifications containing urls to the approval-tasks work fine to.
Thanks for the tomcat-info though, might be worth taking a look at in the future. For now, everything seems to work fine :)
Kind regards,
Markus
On Friday, 24 May 2024 at 18:20, martin.spanik at evolveum.com <martin.spanik at evolveum.com> wrote:
> Hi Markus,
>
> When you send http request to midPoint it responds by redirects to login page (default authentication).
> There is relative path in redirects if <publicHttpUrlPattern> is not set. If the <publicHttpUrlPattern> is set, the path in redirects is absolute, containing content of the parameter with ending slash added.
>
>
> I tried to replicate your issue, but was not able to get the same error as you. It looks like the parsing of hostname is failing for some reason.
>
> Could you, please, check that:
> - there is no typo in the <publicHttpUrlPattern> definition
>
> - the <publicHttpUrlPattern> does not end with slash ("/") character - this hasn't been mentioned in docs yet, <publicHttpUrlPattern> can't end with "/"
>
> - if you did modification of local part (e.g. <yourhost>/test-midpoint), then check, that also configuration of tomcat is synchronized with tomcat configuration.
>
> The parameter is server.servlet.context-path: (value: /test-midpoint) and can be set via application.yaml config file or MP_SET_server_servlet_context-path variable
> See: https://docs.evolveum.com/midpoint/operations-manual/#changing-the-midpoint-embedded-tomcat-configuration
>
> These checks will probably not solve the issue - just want to avoid some obvious errors.
>
> I suppose, that there is some issue while with the hostname.
> - Could you, please, send me the value of <publicHttpUrlPattern> ?
>
> - Could you, please, send the short description of the environment technology you are testing at kubernetes/ docker/ ..
>
> You can send the data privately directly to my email (or support at evolveum.com) or you can anonymize the part of the domain. But I would like to have at least the structure of the name.
>
> Best regards,
>
> Martin Spanik,
> Identity Engineer, Evolveum
>
> -----Original Message-----
> From: midPoint midpoint-bounces at lists.evolveum.com On Behalf Of Markus Calmius via midPoint
>
> Sent: štvrtok 16. mája 2024 16:44
> To: midpoint at lists.evolveum.com
> Cc: Markus Calmius markus.calmius at proton.ch
>
> Subject: Re: [midPoint] oidc + infrastructure url problem
>
>
> Hi,
>
> I realised something when I tried to write a problem description for another person.
>
> It actually has nothing to do with OIDC. I can reproduce it the problem using the default security policy/ username/password login.
>
> The problem-description is the same.
> Not setting a Public URL = everything works Setting it = only works when going to <hostname>/midpoint/
>
>
> What exactly does midpoint reply with when using the public url pattern?
>
>
> Markus
>
> On Thursday, 16 May 2024 at 12:00, midpoint-request at lists.evolveum.com midpoint-request at lists.evolveum.com wrote:
>
> > Send midPoint mailing list submissions to midpoint at lists.evolveum.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> > or, via email, send a message with subject or body 'help' to
> > midpoint-request at lists.evolveum.com
> >
> > You can reach the person managing the list at
> > midpoint-owner at lists.evolveum.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of midPoint digest..."
> >
> > Today's Topics:
> >
> > 1. oidc + infrastructure url problem (Markus Calmius) 2. Introduction
> > to Flexible Authentication Webinar Happening Today (Lukas Skublik)
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Wed, 15 May 2024 13:46:10 +0000
> > From: Markus Calmius markus.calmius at proton.ch
> >
> > To: midPoint General Discussion midpoint at lists.evolveum.com
> >
> > Subject: [midPoint] oidc + infrastructure url problem
> > Message-ID:
> > behCR8cM_pWN2b76rYkVNhaT1bhAWFp2NGpxx8AudRldhXNrxFvIKZ2f9aDadMgV0YA6fq
> > zLOpaaIvDqUQRc_Lyi7MoQoeNK0KfpBi15orc=@proton.ch
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi,
> >
> > I have a weird problem that I do not quite now how to solve/trouble-shoot.
> >
> > If I do not set the <publicHttpUrlPattern> every thing works fine.
> >
> > I can go to https://<hostname> or https://<hostname>/midpoint or https://<hostname>/midpoint/ and I will be re-directed to our Keycloak instance to login.
> >
> > All good.
> > Now, if I do configure the <publicHttpUrlPattern> (which I need to be
> > able to use links in email-notifications) I can only go to
> > https://<hostname>/midpoint/
> >
> > that is, if I remove the trailing / or omit the /midpoint/ it fails and I see this in the log:
> >
> > > ERROR (org.apache.coyote.http11.Http11Processor): Error processing
> > > request
> > >
> > > java.lang.IllegalStateException: No current ServletRequestAttributes
> >
> > It is the same error as if I would go to any other url that does not exist.
> >
> > Any ideas what could cause this?
> >
> > Thanks,
> > Markus
> > -------------- next part -------------- An HTML attachment was
> > scrubbed...
> > URL:
> > https://lists.evolveum.com/pipermail/midpoint/attachments/20240515/8c5
> > de662/attachment-0001.htm
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 16 May 2024 11:46:29 +0200
> > From: Lukas Skublik lukas.skublik at evolveum.com
> >
> > To: midpoint at lists.evolveum.com
> > Subject: [midPoint] Introduction to Flexible Authentication Webinar
> > Happening Today
> > Message-ID: a543d94c-4ab7-41cb-8b81-2dea4e3e46e8 at evolveum.com
> >
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> >
> > Dear midPoint community,
> >
> > I would like to invite you to today’s live webinar "Introduction to
> > Flexible Authentication" where you will learn about flexible
> > authentication and its basic configuration components.
> >
> > I will introduce you to the principles of the authentication sequence
> > created by authentication modules and a simple authentication flow
> > with a single authentication module to an advanced flow created by
> > required, sufficient, and optional modules.
> >
> > The webinar starts at 2PM CEST (8AM EDT / 9PM JST)
> >
> > Zoom link:
> > https://us02web.zoom.us/j/89354128730?pwd=NEtCMlRnc0NZUHAyZWtlZEEzTE50
> > UT09
> > Meeting ID: 893 5412 8730
> > Passcode: 723687
> >
> > Looking forward to seeing you today!
> > --
> >
> > Lukas Skublik
> > Java developer, Evolveum
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> >
> > ------------------------------
> >
> > End of midPoint Digest, Vol 145, Issue 12
> > *****************************************
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list