Skip to content

FIX: Korifi with experimental UAA support and integration with Github #4

New issue
New issue
Open
Open
FIX: Korifi with experimental UAA support and integration with Github#4
Labels
bugSomething isn't working
@pacphi

Description

@pacphi
pacphi
opened on Feb 27, 2025

Have tried every combination "under the sun" in the oauth.client, oauth.clients, and login.oauth.providers stanzas of configuration for UAA. While I have managed to facilitate integration with a Github OAuth app, I cannot complete a successful authentication request.

An exception from the UAA pod UAA container log look like:

[CONTAINER] brave.Tracer                                       INFO    {"traceId":"d0556422e7ddf4e4","id":"d0556422e7ddf4e4","kind":"SERVER","name":"GET","timestamp":1740667825211473,"duration":185086,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55964},"tags":{"http.method":"GET","http.path":"/","http.status_code":"302"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"524dddbf43e4706f","id":"524dddbf43e4706f","kind":"SERVER","name":"GET","timestamp":1740667825432476,"duration":7795427,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55964},"tags":{"http.method":"GET","http.path":"/login"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"a3915c3fc3d26277","id":"a3915c3fc3d26277","kind":"SERVER","name":"GET","timestamp":1740667833324383,"duration":201946,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55964},"tags":{"http.method":"GET","http.path":"/vendor/font-awesome/css/font-awesome.min.css"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"18a15fb934fc74fc","id":"18a15fb934fc74fc","kind":"SERVER","name":"GET","timestamp":1740667833324382,"duration":201955,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55966},"tags":{"http.method":"GET","http.path":"/resources/oss/stylesheets/application.css"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"520d20a218131b6d","id":"520d20a218131b6d","kind":"SERVER","name":"GET","timestamp":1740667833324383,"duration":201946,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55980},"tags":{"http.method":"GET","http.path":"/resources/javascripts/last_login_time.js"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"6cdf6376ab025850","id":"6cdf6376ab025850","kind":"SERVER","name":"GET","timestamp":1740667833596308,"duration":129306,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55964},"tags":{"http.method":"GET","http.path":"/resources/font/sourcesanspro_light.woff2"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"cd404c4902efef3c","id":"cd404c4902efef3c","kind":"SERVER","name":"GET","timestamp":1740667833624119,"duration":199933,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55988},"tags":{"http.method":"GET","http.path":"/resources/font/sourcesanspro_bold.woff2"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"d02c31f42e0ab3cf","id":"d02c31f42e0ab3cf","kind":"SERVER","name":"GET","timestamp":1740667833624118,"duration":199957,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55966},"tags":{"http.method":"GET","http.path":"/resources/font/sourcesanspro_regular.woff2"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"0ddb0eb23df891ae","id":"0ddb0eb23df891ae","kind":"SERVER","name":"GET","timestamp":1740667833561058,"duration":265239,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55980},"tags":{"http.method":"GET","http.path":"/resources/oss/images/product-logo.png"}}
[CONTAINER] brave.Tracer                                       INFO    {"traceId":"dc621dffaa93a390","id":"dc621dffaa93a390","kind":"SERVER","name":"GET","timestamp":1740667833924292,"duration":104944,"localEndpoint":{"serviceName":"uaa","ipv4":"10.244.0.31"},"remoteEndpoint":{"ipv4":"172.18.0.1","port":55980},"tags":{"http.method":"GET","http.path":"/resources/oss/images/square-logo.png"}}
[UAA_AUDIT] [2025-02-27T14:54:04.546328Z] uaa - 1 [http-nio-8080-exec-17] ....  INFO --- Audit: UserCreatedEvent ('["user_id=1a235b4a-c9c0-49b4-9906-eae0fb2de465","username=pacphi"]'): principal=1a235b4a-c9c0-49b4-9906-eae0fb2de465, origin=[caller=null], identityZoneId=[uaa]
[UAA] [2025-02-27T14:54:04.546328Z] uaa - 1 [http-nio-8080-exec-17] ....  INFO --- Audit: UserCreatedEvent ('["user_id=1a235b4a-c9c0-49b4-9906-eae0fb2de465","username=pacphi"]'): principal=1a235b4a-c9c0-49b4-9906-eae0fb2de465, origin=[caller=null], identityZoneId=[uaa]
[UAA] [2025-02-27T14:54:04.733226Z] uaa - 1 [http-nio-8080-exec-17] .... ERROR --- ExternalOAuthAuthenticationFilter: ExternalOAuth Authentication exception
org.cloudfoundry.identity.uaa.oauth.common.exceptions.InvalidTokenException: Invalid token
	at org.cloudfoundry.identity.uaa.oauth.jwt.JwtImpl.<init>(JwtHelper.java:189) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper.decode(JwtHelper.java:61) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.parseClaimsFromIdTokenString(ExternalOAuthAuthenticationManager.java:187) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.isRegisteredIdpAuthentication(ExternalOAuthAuthenticationManager.java:511) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.userAuthenticated(ExternalOAuthAuthenticationManager.java:484) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager.authenticate(ExternalLoginAuthenticationManager.java:151) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationFilter.authenticationWasSuccessful(ExternalOAuthAuthenticationFilter.java:111) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationFilter.doFilter(ExternalOAuthAuthenticationFilter.java:65) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter.doFilterInternal(Saml2WebSsoAuthenticationRequestFilter.java:187) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter.doFilterInternal(DisableIdTokenResponseTypeFilter.java:93) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.security.web.CorsFilter.doFilterInternal(CorsFilter.java:133) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.zone.IdentityZoneResolvingFilter.doFilterInternal(IdentityZoneResolvingFilter.java:81) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.web.LimitedModeUaaFilter.doFilterInternal(LimitedModeUaaFilter.java:71) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.authentication.UTF8ConversionFilter.validateParamsAndContinue(UTF8ConversionFilter.java:69) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.authentication.UTF8ConversionFilter.doFilter(UTF8ConversionFilter.java:53) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.security.web.ContentSecurityPolicyFilter.doFilterInternal(ContentSecurityPolicyFilter.java:33) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.web.HeaderFilter.doFilter(HeaderFilter.java:52) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.metrics.UaaMetricsFilter.doFilterInternal(UaaMetricsFilter.java:85) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at brave.servlet.TracingFilter.doFilter(TracingFilter.java:80) ~[brave-instrumentation-servlet-6.0.3.jar:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$UaaLoggingFilter.doFilter(SecurityFilterChainPostProcessor.java:258) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$HttpsEnforcementFilter.doFilter(SecurityFilterChainPostProcessor.java:201) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) ~[spring-security-web-5.8.16.jar:5.8.16]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.39.jar:5.3.39]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:169) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.88]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:169) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.88]
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:142) ~[spring-session-core-2.7.4.jar:2.7.4]
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-2.7.4.jar:2.7.4]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.39.jar:5.3.39]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.39.jar:5.3.39]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:169) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.88]
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:169) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.88]
	at org.cloudfoundry.identity.uaa.ratelimiting.RateLimitingFilter$WithLimitingFilter.doFilter(RateLimitingFilter.java:124) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at org.cloudfoundry.identity.uaa.ratelimiting.RateLimitingFilter.doFilter(RateLimitingFilter.java:75) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:53) ~[servlet-api.jar:4.0.FR]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:169) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:9.0.88]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[catalina.jar:9.0.88]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:9.0.88]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.88]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) ~[catalina.jar:9.0.88]
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:761) ~[catalina.jar:9.0.88]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[catalina.jar:9.0.88]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat-coyote.jar:9.0.88]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:9.0.88]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) ~[tomcat-coyote.jar:9.0.88]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786) ~[tomcat-coyote.jar:9.0.88]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:9.0.88]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:9.0.88]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.88]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:9.0.88]
	at java.lang.Thread.run(Unknown Source) ~[?:?]
Caused by: java.text.ParseException: Invalid JWT serialization: Missing dot delimiter(s)
	at com.nimbusds.jwt.JWTParser.parse(JWTParser.java:60) ~[nimbus-jose-jwt-10.0.1.jar:10.0.1]
	at org.cloudfoundry.identity.uaa.oauth.jwt.JwtImpl.<init>(JwtHelper.java:185) ~[cloudfoundry-identity-server-77.25.0.jar:?]
	... 97 more

It's that Jwt parse exception that has me puzzled.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions