Hi,
Anyone who successfuly activate the Google’s OAuth2 on the authentication configuration?
Im having trouble on inputing values for OAuth2 parameters
The parameters didn’t return any changes as I click on Login with Oauth2.
this is late probably. you need to set Oauth protocol field. The possible values is one of: OP_MSAZUREOAUTH2, OP_KEYCLOAK, OP_GOOGLE, OP_CUSTOM
So in your case, you need to set it to OP_GOOGLE. I did not test but you can try this.
./cmdbuild.sh restws setconfig org.cmdbuild.auth.module.oauth.protocol OP_GOOGLE
Thank you so much. Yes there’s an improvement after applying the OP_GOOGLE protocol, as I was able to see the Googles login form.
The next problem is that, after logging in (or choosing) the Google account that has permission, it doesn’t log me in on the CMDBuild. It keeps me redirecting to the login page of the CMDBuild.
Hi @bugoy , didi you resolve the redirection to the login page after authentication? I’m facing the same issue, but with Keycloak. The login flow works, but I end up in the login page again. Looks like an authorization problem.
Hi Roger,
I’m still awaiting for any clues. For now I disabled the OAuth until I get solution to have CMDBuild worked with Google OAuth2.
I have seen thread that they were able to work OAuth thru Keycloak. Maybe you may check that one.
I made cmdbuild to work with keycloak for SSO. below is the snippet from the bash script used to configure OIDC. sample values are at the end of the snippet. hope this helps.
# Authentication module names to enable
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.modules default,oauth
# OAuth client id
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.clientId cmdb
# OAuth client secret
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.clientSecret {{ cmdb_client_secret_oauth_test }}
# OAuth login type matching (username or email), defaultValue=auto
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.login.type email
# OAuth login attribute to be matched with cmdbuild users. Possible values: email or username
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.login.attr email
# OAuth protocol (possible values: OP_MSAZUREOAUTH2, OP_KEYCLOAK, OP_GOOGLE, OP_CUSTOM)
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.protocol OP_KEYCLOAK
# OAuth local url accepted from the provider
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.redirectUrl "{{ redirect_url }}"
# OAuth service URL
{{ cmdb_script }} restws setconfig org.cmdbuild.auth.module.oauth.serviceUrl "{{ oauth_service_url }}"
# Reload the configuration
{{ cmdb_script }} restws reloadconfig
##### sample values
#cmdb_script: /opt/tomcat/webapps/cmdbuild/cmdbuild.sh
#oauth_config_script: /opt/config_oauth.sh
#redirect_url: https://cmdbapp.mydomain.com/cmdbuild/ui/
#oauth_service_url: https://accounts.mydomain.com/auth/realms/mydomain/protocol/openid-connect/
#oauth_client_id: cmdb
2 Likes
Hi All,
I’m having issues also with this configuration @rakeshuk can you explain how you setup de client (cmdb) in keycloak ?
Thanks!
The fields coming back from google don’t include a ‘username’ or ‘email’ values - so neither of these suggested values work for org.cmdbuild.auth.module.oauth.login.attr
I had success with the Oauth authentication to Google by using the “sub” field that comes back - and creating a user account with a username that matched the google “sub” value.
==
I change logging level to debugging
Administration Module → Server Management → Logs management
change org.cmdbuild.auth to Debug
This caused the sent and received values for the oauth transaction to show up in in cmdbuild.log.
“openmaint.in” is an entry in my local hosts file - it redirects to a local IP on my LAN.
Google insisted on a valid TLD being part of their “Authorized redirect URIs”.
2024-10-04T22:46:57.509-06:00 [req:11km25] DEBUG o.c.auth.utils.RequestAuthUtils - state info =
refererFragment (String) = login
requestUrl (String) = http://openmaint.in:8080/cmdbuild/ui/
requestUrlWithFragment (String) = http://openmaint.in:8080/cmdbuild/ui/#login
2024-10-04T22:46:57.536-06:00 [req:11km25] DEBUG o.c.a.login.oauth.OauthAuthenticator - execute oauth token request =< POST https://oauth2.googleapis.com/token HTTP/1.1 > with payload =
client_id (String) = 1541<cut>0na65.apps.googleusercontent.com
client_secret (String) = GO<cut>O5
code (String) = 4/0AVG7fi<cut>6ZzxIA
grant_type (String) = authorization_code
redirect_uri (String) = http://openmaint.in:8080/cmdbuild/ui/
scope (String) = openid
2024-10-04T22:46:57.665-06:00 [req:11km25] DEBUG o.c.a.login.oauth.OauthAuthenticator - received oauth token response =
access_token (String) = ya2<cut>P245jRCjoVq2drjBxrOv_59A5>
expires_in (String) = 3599
id_token (String) = eyJhbG<cut>Jpc3MiOiJodHRwczovL2FjY291bnR>
scope (String) = openid
token_type (String) = Bearer
2024-10-04T22:46:57.667-06:00 [req:11km25] DEBUG o.c.a.login.oauth.OauthAuthenticator - received oauth jwt id token info =
at_hash (String) = z4qeIhVuhSEbwWA8PoBwgA
aud (String) = 1541<cut>na65.apps.googleusercontent.com
azp (String) = 1541<cut>na65.apps.googleusercontent.com
exp (Void) = null
iat (Void) = null
iss (String) = https://accounts.google.com
sub (String) = 1<cut>2
2024-10-04T22:46:57.668-06:00 [req:11km25] ERROR o.c.w.security.SessionTokenFilter - request auth error
org.cmdbuild.auth.login.AuthenticationException: unable to authenticate oauth request
...
Caused by: java.lang.NullPointerException: missing oauth login value for attr =< email >
There is no “email” or “username” field returned in this exchange - or at least that is showing up in this debug log.
org.cmdbuild.auth.module.oauth.login.attr=email
My configuration parameter “email” had nothing to match with.
“username” did the same thing when I tried that.
I looked through what was returned, and decided to try the ‘sub’: (I think this is a google account subscriber number - it stayed the same across multiple authentications with the same account, but I also only tried one account)
./cmdbuild.sh restws setconfig org.cmdbuild.auth.module.oauth.login.attr sub
which resulted in a different error message:
2024-10-04T22:56:20.169-06:00 [req:hdpfzr] ERROR o.c.w.security.SessionTokenFilter - request auth error
java.lang.RuntimeException: CM: Utente non abilitato
...
Caused by: java.lang.NullPointerException: user not found for identity = Login{value=<1<cut>2>, type=auto}
The “user not found” matched the “sub” value from above.
Created a user with the username matching this value, added to a valid user group - and the oauth authentication worked for it.
It’s not great because you need your user account usernames to be the google account ID of the user you want to log in.
relevant non-default configuration:
./cmdbuild.sh restws getconfigs
|org.cmdbuild.auth.module.oauth.clientSecret |GO<cut>O5|
|org.cmdbuild.auth.module.oauth.protocol |OP_GOOGLE|
|org.cmdbuild.auth.module.oauth.clientId |1541<cut>na65.apps.googleusercontent.com|
|org.cmdbuild.auth.module.oauth.login.attr |sub|
|org.cmdbuild.auth.modules |default,oauth|
Great find @va6djh, I confirm that your findings is correct. [sub]
I was able to simulate it and it does work.
Hopefully the email/username value for o.c.m.a.module.login.attr will be fix soon.
To update you all, figured it out now and it’s now working using Google OAuth 2.0 through email address.
Figuring out how it’ll work using the username only (not the username@email.com).
Thank you all for your contribution.