Viewing 1 reply thread
  • Author
    Posts
    • #15740
      Frank PTB
      Participant

        Hallo Forum,

        ich bin bei der Erstellung einer Open ID Connect Otobo für das Customer Portal gegenüber eines IDP Providers (intern).

        Ich habe mich an das Beispiel aus der Defaults.pm gehalten und in die Config.pm übertragen.

        Wie kann ich den gesamten Auth. Verkehr in ein Log schreiben ?

        Bei der Einstellung

        $Self->{‘Customer::AuthModule::OpenIDConnect::Debug’}->{‘LogIDToken’} = 1;

         

        bekomme ich in dem other_vhosts_access.log die GET Einträge aber keine anderen Einträge, bzw. die Antworten von dem IDP Provider.

        Als Rückantwort vom IDP Provider zum Otobo bekomme ich die Meldung “Request-URI Too Long
        The requested URL’s length exceeds the capacity limit for this server.”

         

        Meine Konfiguration sieht wie folgt aus:

        # This is an example configuration for authorization via OpenIDConnect
        # see https://openid.net/specs/openid-connect-core-1_0.html
        $Self->{‘Customer::AuthModule’} = ‘Kernel::System::CustomerAuth::OpenIDConnect’;
        # Define the authentication flow, currently supported are the authorization code flow…
        $Self->{‘Customer::AuthModule::OpenIDConnect::AuthRequest’}->{ResponseType} = [ ‘code’ ];
        # …and the implicit flow (choose one – currently no hybrid flow is implemented)
        # $Self->{‘Customer::AuthModule::OpenIDConnect::AuthRequest’}->{ResponseType} = [ ‘id_token’ ];
        # Define the additional scope (openid is added automatically and does not need to be
        # defined here). Make sure to add everything you want to interpret later.
        # $Self->{‘Customer::AuthModule::OpenIDConnect::AuthRequest’}->{AdditionalScope} = [
        # qw/profile email/
        # ];
        # Set the ClientID and Redirect URI exactly as defined on the authorization server
        # for the latter the Action must be “Login”
        $Self->{‘Customer::AuthModule::OpenIDConnect::Config’}{ClientSettings} = {
        ClientID => ‘https://xxxx/’,
        RedirectURI => ‘https://xxxx/otobo/customer.pl?Action=Login’,
        };
        # For the authorization code flow the client secret has to be provided
        $Self->{‘Customer::AuthModule::OpenIDConnect::Config’}{ClientSettings}{ClientSecret} = ‘xxxx’;
        # Provide the URL of the well-known openid-configuration of the OpenID provider
        $Self->{‘Customer::AuthModule::OpenIDConnect::Config’}{ProviderSettings} = {
        OpenIDConfiguration => ‘https://xxx.de/.well-known/openid-configuration’,
        # TTL => 60 * 30, # optional: time period the extracted openid-configuration is cached
        # Name => ‘Intern4’, # optional: necessary only if one needs to differentiate between User and CustomerUser configuration e.g.
        # SSLOptions => { # if special ssl options are needed; SSLVerifyHostname => 0 is also possible but should only be used for testing purposes
        # SSLCertificate => ‘SSL_cert_file’, # client certificate
        # SSLKey => ‘SSL_key_file’, # client cert key
        # SSLPassword => ‘SSL_passwd_cb’, # password for client cert key
        # SSLCAFile => ‘SSL_ca_file’, # CA certificate
        # SSLCADir => ‘SSL_ca_path’, # CA cert directory
        # },
        };
        # Set the token claim to be used as identifier
        $Self->{‘Customer::AuthModule::OpenIDConnect::UID’} = ‘sub’;
        # Some optional additional settings
        $Self->{‘Customer::AuthModule::OpenIDConnect::Config’}{Misc} = {
        UseNonce => 1, # add a nonce to request and token (this is primarily important for the implicit flow where it is enabled by default)
        RandLength => 22, # length for state and nonce random strings – default: 22
        RandTTL => 60 * 5, # valid time period for state and nonce (roughly the time a user can take to authenticate) – default: 300 s
        };
        # Optionally enable user authorization via the id token – hashes can be used for complex claims
        # $Self->{‘AuthModule::OpenIDConnect::RoleMap’} = {
        # TokenAttribute => {
        # TokenRole1 => ‘OTOBORole1’,
        # TokenRole2 => ‘OTOBORole2’,
        # },
        # TokenAttribute2 => {
        # abc123 => {
        # TokenRole1 => ‘OTOBORole1’,
        # TokenRole3 => ‘OTOBORole3’,
        # }
        # },
        # };
        # Optionally enable user creation – this currently does not support complex claims; email is mandatory
        # $Self->{‘AuthModule::OpenIDConnect::UserMap’} = {
        # email => ‘UserEmail’,
        # given_name => ‘UserFirstname’,
        # family_name => ‘UserLastname’,
        # };
        # For debugging purposes and to help with building the RoleMap e.g. you can dump all IDTokens received to the log
        $Self->{‘Customer::AuthModule::OpenIDConnect::Debug’}->{‘code’} = 1;

        Nette Grüße

        Scout1971

      • #15743
        Frank PTB
        Participant

          Hallo Forum,

          nach der Umstellung von ‘Code’ auf  ‘id_token’ funktioniert die Anmeldung bei unserem IDP Provider.

          Leider kommt bei der Abmeldung eine Fehlermeldung vom IDP Provider.

          Meine Frage:

          Wo kann ich Parameter für ‘…Customer.pl?Action=Logout’ einstellen ?

           

          Nette Grüße

          Scout1971

      Viewing 1 reply thread
      • You must be logged in to reply to this topic.