Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Issues #233

Open
joeftiger opened this issue Mar 18, 2025 · 1 comment
Open

OIDC Issues #233

joeftiger opened this issue Mar 18, 2025 · 1 comment

Comments

@joeftiger
Copy link

Hello

I am using Keycloak with MISP and have multiple issues regarding the OIDC configuration.
My MISP instance is configured like following environment variables:

services:
  misp-core:
    environment:
      - OIDC_ENABLE=true
      - OIDC_PROVIDER_URL=https://auth.misp-poc.ch/realms/foo/.well-known/openid-configuration
      - OIDC_CLIENT_ID=foo
      - OIDC_CLIENT_SECRET=kvVqn...TE28trv
      - OIDC_AUTHENTICATION_METHOD=client_secret_jwt
      - OIDC_CODE_CHALLENGE_METHOD=S256
      - OIDC_OFFLINE_ACCESS=true
      - OIDC_CHECK_USER_VALIDITY=600
      - OIDC_ROLES_PROPERTY=roles
      - OIDC_ROLES_MAPPING='{"misp-admin-access":1,"misp-org-admin-access":2,"misp-sync-access":5,"misp-publisher-access":4,"misp-api-access":"User with API access","misp-access":3}'
      - OIDC_DEFAULT_ORG=Foo
      - OIDC_LOGOUT_URL=https://auth.misp-poc.ch/realms/foo/protocol/openid-connect/logout
      - OIDC_SCOPES='["profile", "email"]'
 # ...

1st issue

During the initial OIDC configuration, the line at configure_misp.sh#L117 creates an URL like following:

https://.../logout&post_logout_redirect_uri=https://...
                  ^

This fails with a 404 error. Explicitly re-writing the post_logout_redirect_uri value as encoded URL does not help either.
With my current understanding of the OIDC spec, it should generate a ? instead of &, no?

This currently still fails for Keycloak as it hard-requires the id_token_hint to be passed as well even though it is only "recommended" as per OIDC spec.

2nd issue

Passing OIDC_SCOPES='["profile", "email"]' as env variable leads to parsing errors in the startup log:

MISP | Set Up OIDC ...
Provided new config is not array, `NULL` given.
parse error: Invalid numeric literal at line 1, column 2
... OIDC authentication enabled

I have tried the code from [configure_misp.sh#L104-L113)[https://github.com/MISP/misp-docker/blob/master/core/files/configure_misp.sh#L104-L113] in my terminal and the if worked fine there:

FOO='["profile", "email"]'; if [[ "$(echo "$FOO" | jq type -r)" == "array" ]]; then echo true; else echo false; fi

Is there an issue as to how the env variables are passed from the compose.yaml to MISP? Or is the issue in the script?
@ostefano
Copy link
Collaborator

Try OIDC_SCOPES="[\"profile\", \"email\"]" instead.

For issue 1, I would agree. I would open a MISP bug for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ostefano @joeftiger