Enabling SSO (Oauth) via Config Failing

chaseconey · November 13, 2019, 11:34pm

I have been trying to get an Oauth configuration working for Auth0 and I can’t seem to get it actually working.

Here is an obfuscated config that I am using:

_auth0_config = {
    'consumer_key': 'id',
    'consumer_secret': 'secret',
    'request_token_params': {'scope': 'profile email'},
    'base_url': 'https://tenant-prod.auth0.com',
    'request_token_url': None,
    'access_token_method': 'POST',
    'access_token_url': 'https://tenant-prod.auth0.com/oauth/access_token',
    'authorize_url': 'https://tenant-prod.auth0.com/authorize'
}

AUTH_PROVIDERS = {
  'auth0': {
    'default': 'true',
    'type': 'oauth',
    'title': 'Auth0',
    'oauth': _auth0_config
  }
}

IDENTITY_PROVIDERS = {
  'auth0': {
    'title': 'Auth0',
    'trusted_email': True,
    'type': 'oauth',
    'oauth': _auth0_config,
    'endpoint': '/userinfo',
    'identifier_field': 'sub',
    'mapping': {
      'user_name': 'preferred_username',
      'first_name': 'given_name',
      'last_name': 'family_name',
      'email': 'email'
    }
  }
}

PROVIDER_MAP = {"auth0": "auth0"}

Whatever I am doing must be wrong enough that I am just getting an “Internal server error” when restarting with nothing at all in any logs that I can find. Step one would probably be figuring out where the appropriate logs would be (I have checked /opt/indico/log and /var/log/uwsgi/app)…nothing useful.

Any assistance in debugging this would be amazing!

Thanks in advance!

ThiefMaster · November 13, 2019, 11:38pm

If you get an internal server error, you might have a syntax error in your config (or some other error that happens at import time). The easiest way to see the actual error and traceback is to run indico shell since that loads the config as well.

ThiefMaster · November 13, 2019, 11:41pm

'default': 'true', on the auth provider is incorrect for sure:

the correct value would be True without quotes
the default setting only makes sense on auth providers that use a form to enter credentials direct in indico. so for oauth this setting shouldn’t be present at all

chaseconey · November 13, 2019, 11:43pm

You are a savior. That key was definitely it. I tried to use the indico shell and couldn’t figure out how to do it. I am running a production configuration, and I didn’t see a bin anywhere or any directory that had a binary to run.

chaseconey · November 13, 2019, 11:48pm

So I am much further along, but still getting a fairly cryptic message of:

Authentication via auth0 failed: OAuth error ({u'msg': u'Invalid response from auth0_flaskmultipass', u'data': {'Not Found': u''}, u'type': 'invalid_response'})

I am guessing there is a mapping incorrect. Any way to easily debug that specifically?

ThiefMaster · November 13, 2019, 11:56pm

it’s in your PATH when the virtualenv is active

ThiefMaster · November 13, 2019, 11:58pm

Are you sure the endpoint is correct?

chaseconey · November 14, 2019, 12:10am

The docs don’t really specify what the endpoint is so I am taking a guess. What I was thinking the endpoint represented was what uri (built with the base_url in the config) can be used to pull the user’s information that we can map into our schema.

The userinfo endpoint in Auth0 is exactly that. I could be totally misunderstanding what the field represents though, just jumping into all this and it is a bit overwhelming .

Docs on userinfo here.

chaseconey · November 14, 2019, 1:23am

Figured it out. Was using the incorrect access_token endpoint. It seems to be functioning as expected now.

Thank you so much for the help!