RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
Summary: authenticating against external IdP services okta (native app) with OAuth cli...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: sssd
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Filip Dvorak
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 2111393 2152884
TreeView+ depends on / blocked
 
Reported: 2022-07-27 08:28 UTC by Filip Dvorak
Modified: 2023-05-09 10:29 UTC (History)
12 users (show)

Fixed In Version: sssd-2.8.1-1.el9
Doc Type: If docs needed, set a value
Doc Text:
See comment 8
Clone Of:
: 2111393 2152884 (view as bug list)
Environment:
Last Closed: 2023-05-09 08:19:50 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 6146 0 None closed oidc_child issues found in FreeIPA idp testing 2022-09-26 19:46:42 UTC
Github SSSD sssd pull 6311 0 None closed Fixes for oidc_child 2022-09-26 19:46:43 UTC
Red Hat Issue Tracker RHELPLAN-129205 0 None None None 2022-07-27 09:14:23 UTC
Red Hat Issue Tracker SSSD-4901 0 None None None 2022-08-11 14:14:42 UTC
Red Hat Product Errata RHBA-2023:2514 0 None None None 2023-05-09 08:20:14 UTC

Description Filip Dvorak 2022-07-27 08:28:47 UTC 
Created attachment 1899589 [details]
logs with and without secret with idp okta

Description of problem:
Authentication agains external provider Okta failed when the OAuth client secret was used (ipa idp-add --secret)

Version-Release number of selected component (if applicable):
RHEL-9.1.0-20220721.1
krb5-server-1.19.1-22.el9.x86_64
ipa-server-4.10.0-3.el9.x86_64
libverto-0.3.2-3.el9.x86_64
sssd-idp-2.7.3-1.el9.x86_64


Steps to Reproduce:
1.configuration of ipa-server:
hostnamectl set-hostname master1.testrelm.test
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation

add user for okta idp
echo Secret123 | kinit admin
ipa idp-add oktatest --client-id=<client_id> --provider=okta --base-url=trial-8739330.okta.com --secret
ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="fdvorak" --idp=oktatest
Note: client ID and client secret are from okta web application

The okta native application has the following settings:
Client authentication: Client secret
Application type: Native
Grant type: Authorization Code, Interaction Code, Device authorization
Immediate app access with Federation Broker Mode: Enabled

2. kinit -n -c ./ccache

Actual results:
# kinit -T ./ccache oktausertest
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Expected results:
"kinit -T <ccache> oktausertest" should pass

Additional info:
The same scenario without secret (Client authentication:none in okta native application) works.
Logs were attached.
Comment 2 Alexander Bokovoy 2022-07-27 08:46:44 UTC 
It looks to me as https://github.com/SSSD/sssd/issues/6146 where if client secret is defined, SSSD helper does not submit it to the IdP and fails.
Moving to SSSD.
Comment 5 Alexey Tikhonov 2022-09-15 18:21:15 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6311
Comment 6 Alexey Tikhonov 2022-09-16 13:43:49 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6311

* `master`
    * 1a475e0c537c905c80406ceb88c7b34e6400bc40 - oidc_child: add --client-secret-stdin option
    * 5ed7670766483040211713f8182510775c76b962 - oidc_child: increase wait interval by 5s if 'slow_down' is returned
    * a4d4617efeff871c5d2762e35f9dec57fa24fb1a - oidc_child: use client secret if available to get device code
    * 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb - oidc_child: escape scopes
Comment 11 Michal Polovka 2022-11-15 15:37:18 UTC 
Pre-verified using sssd-2.8.1-1.el9.x86_64

Steps:
setup okta account with https://trial-9331781.okta.com 
setup okta application with :
- Client authentication: Client secret
- Application type: Native
- Grant type: Authorization Code,Interaction Code, Device authorization
- Immediate app access with Federation Broker Mode: Enabled


# hostnamectl set-hostname master1.testrelm.test
# ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation
# echo Secret123 | kinit admin
# ipa idp-add oktatest --client-id=<very secret clien id> --provider=okta --base-url=trial-9331781.okta.com --secret
Enter Secret again to verify: 
-----------------------------------------
Added Identity Provider server "oktatest"
-----------------------------------------
  Identity Provider server name: oktatest
  Authorization URI: https://trial-9331781.okta.com/oauth2/v1/authorize
  Device authorization URI: https://trial-9331781.okta.com/oauth2/v1/device/authorize
  Token URI: https://trial-9331781.okta.com/oauth2/v1/token
  User info URI: https://trial-9331781.okta.com/oauth2/v1/userinfo
  Client identifier: nope
  Secret: neither
  Scope: openid email
  External IdP user identifier attribute: email

# ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="mpolovka" --idp=oktatest
-------------------------
Added user "oktausertest"
-------------------------
  User login: oktausertest
  First name: okta
  Last name: userokta
  Full name: okta userokta
  Display name: okta userokta
  Initials: ou
  Home directory: /home/oktausertest
  GECOS: okta userokta
  Login shell: /bin/sh
  Principal name: oktausertest
  Principal alias: oktausertest
  Email address: oktausertest
  UID: 1855200003
  GID: 1855200003
  User authentication types: idp
  External IdP configuration: oktatest
  External IdP user identifier: mpolovka
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# kinit -n -c ./ccache
# kinit -T ./ccache oktausertest
Authenticate at https://trial-9331781.okta.com/activate?user_code=WNPQVKRV and press ENTER.:
# klist
Ticket cache: KCM:0:12899
Default principal: oktausertest

Valid starting       Expires              Service principal
11/15/2022 10:31:34  11/16/2022 10:09:21  krbtgt/TESTRELM.TEST


Kinit passed, therefore marking as pre-verified - tested.
Comment 16 Michal Polovka 2022-11-24 13:54:02 UTC 
Verified using sssd-2.8.1-1.el9.x86_64

Steps:
setup okta account with https://trial-9331781.okta.com 
setup okta application with :
- Client authentication: Client secret
- Application type: Native
- Grant type: Authorization Code,Interaction Code, Device authorization
- Immediate app access with Federation Broker Mode: Enabled


# hostnamectl set-hostname master1.testrelm.test
# ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation
# echo Secret123 | kinit admin
# ipa idp-add oktatest --client-id=<totally very secret client id> --provider=okta --base-url=trial-9331781.okta.com --secret

Secret: 
Enter Secret again to verify: 
-----------------------------------------
Added Identity Provider server "oktatest"
-----------------------------------------
  Identity Provider server name: oktatest
  Authorization URI: https://trial-9331781.okta.com/oauth2/v1/authorize
  Device authorization URI: https://trial-9331781.okta.com/oauth2/v1/device/authorize
  Token URI: https://trial-9331781.okta.com/oauth2/v1/token
  User info URI: https://trial-9331781.okta.com/oauth2/v1/userinfo
  Client identifier: super private, like totally
  Secret: I don't think so
  Scope: openid email
  External IdP user identifier attribute: email


# ipa user-ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="mpolovka" --idp=oktatest
-------------------------
Added user "oktausertest"
-------------------------
  User login: oktausertest
  First name: okta
  Last name: userokta
  Full name: okta userokta
  Display name: okta userokta
  Initials: ou
  Home directory: /home/oktausertest
  GECOS: okta userokta
  Login shell: /bin/sh
  Principal name: oktausertest
  Principal alias: oktausertest
  Email address: oktausertest
  UID: 1355200003
  GID: 1355200003
  User authentication types: idp
  External IdP configuration: oktatest
  External IdP user identifier: mpolovka
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# kinit -n -c ./ccache
# kinit -T ./ccache oktausertest
Authenticate at https://trial-9331781.okta.com/activate?user_code=GBDZKCFG and press ENTER.:

# klist
Ticket cache: KCM:0:2693
Default principal: oktausertest

Valid starting       Expires              Service principal
11/24/2022 08:52:14  11/25/2022 08:20:41  krbtgt/TESTRELM.TEST

kinit works as expected, therefore marking as VERIFIED. Automation no applicable due to the dependency on external provider.
Comment 24 errata-xmlrpc 2023-05-09 08:19:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2514
Note You need to log in before you can comment on or make changes to this bug.