Bug 2111388

Summary: authenticating against external IdP services okta (native app) with OAuth client secret failed
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.1CC: abokovoy, aboscatt, atikhono, fhanzelk, frenaud, lmcgarry, mpolovka, pasik, pbrezina, rcritten, sbose, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.8.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
See comment 8
 Story Points: ---
Clone Of:
: 2111393 2152884 (view as bug list) Environment:
Last Closed: 2023-05-09 08:19:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2111393, 2152884    

Description Filip Dvorak 2022-07-27 08:28:47 UTC 
Created attachment 1899589 [details]
logs with and without secret with idp okta

Description of problem:
Authentication agains external provider Okta failed when the OAuth client secret was used (ipa idp-add --secret)

Version-Release number of selected component (if applicable):
RHEL-9.1.0-20220721.1
krb5-server-1.19.1-22.el9.x86_64
ipa-server-4.10.0-3.el9.x86_64
libverto-0.3.2-3.el9.x86_64
sssd-idp-2.7.3-1.el9.x86_64


Steps to Reproduce:
1.configuration of ipa-server:
hostnamectl set-hostname master1.testrelm.test
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation

add user for okta idp
echo Secret123 | kinit admin
ipa idp-add oktatest --client-id=<client_id> --provider=okta --base-url=trial-8739330.okta.com --secret
ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="fdvorak" --idp=oktatest
Note: client ID and client secret are from okta web application

The okta native application has the following settings:
Client authentication: Client secret
Application type: Native
Grant type: Authorization Code, Interaction Code, Device authorization
Immediate app access with Federation Broker Mode: Enabled

2. kinit -n -c ./ccache

Actual results:
# kinit -T ./ccache oktausertest
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Expected results:
"kinit -T <ccache> oktausertest" should pass

Additional info:
The same scenario without secret (Client authentication:none in okta native application) works.
Logs were attached.
Comment 2 Alexander Bokovoy 2022-07-27 08:46:44 UTC 
It looks to me as https://github.com/SSSD/sssd/issues/6146 where if client secret is defined, SSSD helper does not submit it to the IdP and fails.
Moving to SSSD.
Comment 5 Alexey Tikhonov 2022-09-15 18:21:15 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6311
Comment 6 Alexey Tikhonov 2022-09-16 13:43:49 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6311

* `master`
    * 1a475e0c537c905c80406ceb88c7b34e6400bc40 - oidc_child: add --client-secret-stdin option
    * 5ed7670766483040211713f8182510775c76b962 - oidc_child: increase wait interval by 5s if 'slow_down' is returned
    * a4d4617efeff871c5d2762e35f9dec57fa24fb1a - oidc_child: use client secret if available to get device code
    * 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb - oidc_child: escape scopes
Comment 11 Michal Polovka 2022-11-15 15:37:18 UTC 
Pre-verified using sssd-2.8.1-1.el9.x86_64

Steps:
setup okta account with https://trial-9331781.okta.com 
setup okta application with :
- Client authentication: Client secret
- Application type: Native
- Grant type: Authorization Code,Interaction Code, Device authorization
- Immediate app access with Federation Broker Mode: Enabled


# hostnamectl set-hostname master1.testrelm.test
# ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation
# echo Secret123 | kinit admin
# ipa idp-add oktatest --client-id=<very secret clien id> --provider=okta --base-url=trial-9331781.okta.com --secret
Enter Secret again to verify: 
-----------------------------------------
Added Identity Provider server "oktatest"
-----------------------------------------
  Identity Provider server name: oktatest
  Authorization URI: https://trial-9331781.okta.com/oauth2/v1/authorize
  Device authorization URI: https://trial-9331781.okta.com/oauth2/v1/device/authorize
  Token URI: https://trial-9331781.okta.com/oauth2/v1/token
  User info URI: https://trial-9331781.okta.com/oauth2/v1/userinfo
  Client identifier: nope
  Secret: neither
  Scope: openid email
  External IdP user identifier attribute: email

# ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="mpolovka" --idp=oktatest
-------------------------
Added user "oktausertest"
-------------------------
  User login: oktausertest
  First name: okta
  Last name: userokta
  Full name: okta userokta
  Display name: okta userokta
  Initials: ou
  Home directory: /home/oktausertest
  GECOS: okta userokta
  Login shell: /bin/sh
  Principal name: oktausertest
  Principal alias: oktausertest
  Email address: oktausertest
  UID: 1855200003
  GID: 1855200003
  User authentication types: idp
  External IdP configuration: oktatest
  External IdP user identifier: mpolovka
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# kinit -n -c ./ccache
# kinit -T ./ccache oktausertest
Authenticate at https://trial-9331781.okta.com/activate?user_code=WNPQVKRV and press ENTER.:
# klist
Ticket cache: KCM:0:12899
Default principal: oktausertest

Valid starting       Expires              Service principal
11/15/2022 10:31:34  11/16/2022 10:09:21  krbtgt/TESTRELM.TEST


Kinit passed, therefore marking as pre-verified - tested.
Comment 16 Michal Polovka 2022-11-24 13:54:02 UTC 
Verified using sssd-2.8.1-1.el9.x86_64

Steps:
setup okta account with https://trial-9331781.okta.com 
setup okta application with :
- Client authentication: Client secret
- Application type: Native
- Grant type: Authorization Code,Interaction Code, Device authorization
- Immediate app access with Federation Broker Mode: Enabled


# hostnamectl set-hostname master1.testrelm.test
# ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation
# echo Secret123 | kinit admin
# ipa idp-add oktatest --client-id=<totally very secret client id> --provider=okta --base-url=trial-9331781.okta.com --secret

Secret: 
Enter Secret again to verify: 
-----------------------------------------
Added Identity Provider server "oktatest"
-----------------------------------------
  Identity Provider server name: oktatest
  Authorization URI: https://trial-9331781.okta.com/oauth2/v1/authorize
  Device authorization URI: https://trial-9331781.okta.com/oauth2/v1/device/authorize
  Token URI: https://trial-9331781.okta.com/oauth2/v1/token
  User info URI: https://trial-9331781.okta.com/oauth2/v1/userinfo
  Client identifier: super private, like totally
  Secret: I don't think so
  Scope: openid email
  External IdP user identifier attribute: email


# ipa user-ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="mpolovka" --idp=oktatest
-------------------------
Added user "oktausertest"
-------------------------
  User login: oktausertest
  First name: okta
  Last name: userokta
  Full name: okta userokta
  Display name: okta userokta
  Initials: ou
  Home directory: /home/oktausertest
  GECOS: okta userokta
  Login shell: /bin/sh
  Principal name: oktausertest
  Principal alias: oktausertest
  Email address: oktausertest
  UID: 1355200003
  GID: 1355200003
  User authentication types: idp
  External IdP configuration: oktatest
  External IdP user identifier: mpolovka
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# kinit -n -c ./ccache
# kinit -T ./ccache oktausertest
Authenticate at https://trial-9331781.okta.com/activate?user_code=GBDZKCFG and press ENTER.:

# klist
Ticket cache: KCM:0:2693
Default principal: oktausertest

Valid starting       Expires              Service principal
11/24/2022 08:52:14  11/25/2022 08:20:41  krbtgt/TESTRELM.TEST

kinit works as expected, therefore marking as VERIFIED. Automation no applicable due to the dependency on external provider.
Comment 24 errata-xmlrpc 2023-05-09 08:19:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2514