Replies: 32 comments 8 replies
-
|
Further, I converted my cert to P12, copied the pfx into /etc/cert/httpd.crt and privatekey to /etc/cert/httpd.key and ran the APIs thru CURL. It worked perfectly for
BUT, for registering a new client API, I get the same error as I did running out of a custom folder /etc/site_certificates/ with Namecheap subdomain ssl cert format
`{' This tells me my cert transform mapping worked and the API examples have the same issue with standard cert format from standard folder as they did from Namecheap subdomain cert format in custom folder. And that the issue persists in TUI as well as API. So I am missing a parameter somewhere in the config. Any ideas? I am running out of options. I need some guidance. I've been stuck on this point for too long. Either I am missing something in the documentation, or the documentation assumes I know it, which I don't, or there is a bug. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Mike i used your API example in the documentation for curls . i just changed the FQDN. It’s giving me the same error I get in TUI.What am I missing?BainBain McKay CEO & Chief ScientistKayvium ***@***.***(613)668-9979 ___________________ KAYVIUMBeyond Search - Intelligent Applications that work the way you think ___________________THE CONTENTS OF THIS EMAIL ARE COPYRIGHT KAYVIUM CORPORATION 2005-2023 - ALL RIGHTS RESERVED. THIS EMAIL IS NOT TO BE FORWARDED OR SHARED WITHOUT THE PERMISSION OF KAYVIUM CORPORATIONSent from my iPhoneOn Dec 16, 2023, at 9:18 AM, Michael Schwartz ***@***.***> wrote:
"token_endpoint_auth_method": "self_signed_tls_client_auth",
Is that really supported on Auth Server?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Would you please send |
Beta Was this translation helpful? Give feedback.
-
|
Also turn on |
Beta Was this translation helpful? Give feedback.
-
|
Hi Yuriyz Will do. I am in a meeting at 7:30MT for at least hour. After that I'll turn on the logs Can you confirm: Janssen: [jans-auth/restv1/authorize] maps to gluu: [oxauth/restv1/authorize] We’ve been using [daggerhart-openid-connect-general] plugin v 3.8.0 for years. It’s been rock solid In GLUU. Will [daggerhart-openid-connect-general] work for Janssen Server? Is it a standard implementation? I turned off mutual authentication. It's a simple switch in the site adaptor. Still, once through the authentication, it hangs. I'm trying to isolate this. Hopefully the logs will help. But the issue I am running in to seems to be broader than Mutual authentication. |
Beta Was this translation helpful? Give feedback.
-
Yes, correct.
AS follows standards, so yes, it is standard implementation. |
Beta Was this translation helpful? Give feedback.
-
|
Hi YuriyZ
I’m not seeing the property [errorRerasonEnabled]

… On Dec 18, 2023, at 2:36 AM, YuriyZ ***@***.***> wrote:
Also turn on errorReasonEnabled AS configuration parameters. For most registration errors it will send together with error and error_description also reason of failure.
Something like
{
"error_description": "The value of one of the Client Metadata fields is invalid and the server has rejected this request. Note that an Authorization Server MAY choose to substitute a valid value for' 'any requested parameter of a Client's Metadata. CorrelationId: ad251165-2836-4905-b34a-b60c876b5a9f",'
"error": "invalid_client_metadata",
"reason": "Failed to validated redirect_uri"
}
—
Reply to this email directly, view it on GitHub <#7115 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNOPZMQQFVJ7RADA7GDYKAFALAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQOBUGAZTC>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
You have typo. It has to be Doc: https://docs.jans.io/v1.0.21/admin/reference/json/properties/janssenauthserver-properties/#errorreasonenabled |
Beta Was this translation helpful? Give feedback.
-
|
The typo is just in the email. If I list the properties in TUI, I do not see it in properties list (see screenshot in previous message). How do I turn it on?
… On Dec 18, 2023, at 9:28 AM, YuriyZ ***@***.***> wrote:
errorReasonEnabled
|
Beta Was this translation helpful? Give feedback.
-
|
@devrimyatar where can we find "errorReasonEnabled" AS configuration property on TUI? |
Beta Was this translation helpful? Give feedback.
-
|
HI YuriyZ,
I can’t find jans-auth.log on disk. And I can't find it in the documentation.
What am I missing?
Bain
… On Dec 18, 2023, at 2:31 AM, YuriyZ ***@***.***> wrote:
Would you please send jans-auth.log in TRACE log level? It should help understand exact reason.
—
Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNLFFLHC2XWWGLWIZQLYKAEP5AVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQOBTHE3TI>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Hi Mike,
You will notice the there Is no [logs] folder under [jetty].
I also did a system-wide search, but no joy: [find -iname jans-auth.log]

… On Dec 18, 2023, at 10:56 AM, Michael Schwartz ***@***.***> wrote:
/opt/jans/jetty/jans-auth/logs
|
Beta Was this translation helpful? Give feedback.
-
|
You are doing a VM installation? You installed as root? Please check |
Beta Was this translation helpful? Give feedback.
-
|
Yes. DigitalOcean VM installation. Ubuntu 20.04
Here is the general installation process.
Not fully detailed and different domain. I've done a number of installations. I do not have an update installation, because it's not yet working.
[new VM Access]
## allow root login
sudo -i
passwd
nano /etc/ssh/sshd_config
#PermitrRootLogin prohibit-password PermitrRootLogin yes
nano ~/.ssh/authorized_keys
# add client public key
# /etc/host
nano /etc/hosts
# add 127.0.1.1 hostname hostname OR [FQDN] [FQDN]
ufw reset
ufw enable
ufw allow proto tcp from 127.0.0.1 to any port 60022
ufw allow proto tcp from 127.0.0.1 to any port 8073
ufw allow proto tcp from 127.0.0.1 to any port 8081
ufw allow proto tcp from 127.0.0.1 to any port 1636
ufw allow proto tcp from 127.0.0.1 to any port 4444
ufw allow proto tcp from 127.0.0.1 to any port 8086
ufw allow proto tcp from 127.0.0.1 to any port 8099
ufw allow proto tcp from 127.0.0.1 to any port 8087
ufw allow proto tcp from 127.0.0.1 to any port 8082
ufw allow proto tcp from any to any port 80
ufw allow proto tcp from any to any port 443
ufw allow proto tcp from any to any port 22
# ON MACOS HOST
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
#secure site
##Generate CSR
openssl req -new -newkey rsa:2048 -nodes -keyout kayviumdev.key -out kayviumdev.csr
# ELSE if Letsencrypt
#copy-past crt file contents into CSR request in namecheap for DCV
#scp ssl to site_certiificate/domane folder
#IF LOCALCLOUD: copy he DCV itno the site root folder in .wel-nown/pkivalidation:dcv.txt
# IF DIGITALOCEAN
## Edit the droplet domain A record to redirect to this IP
** nano /etc/hosts
### thisIP FQDN
#janssen project: installs apache and generates site adaptor.
#BATCH
wget https://github.com/JanssenProject/jans/files/11814522/automation-jans-public-gpg.zip
unzip automation-jans-public-gpg.zip
sudo gpg --import automation-jans-public-gpg.asc;
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb -P /tmp
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum -P /tmp
cd /tmp
sha256sum -c jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum
sudo apt install ./jans_1.0.20.ubuntu22.04_amd64.deb
sudo python3 /opt/jans/jans-setup/setup.py
# use hostname: do-gluu-jansen.kayviumdev.com
# use mysql for store, not openDJ
Janssen Server installation successful!
To manage your Janssen Identity Provider:
# use for initial onstall and for any changes in confit or componment dervices
/opt/jans/jans-cli/config-cli-tui.py
Pease remove the whole setup directory /opt/jans/jans-setup post-installation for a production deployment.
✓ jans Generating smtp keys
✓ jre Installing Jre
✓ jetty Installing Jetty
✓ jython Installing Jython
✓ rdbm-server Importing ldif files to mysql
✓ apache2 Configuring apache2
✓ jans-auth Generating OAuth openid keys
✓ jans-config-api Deploying Jetty Service
✓ jans-fido2 Deploying Jetty Service
✓ jans-scim Deploying Jetty Service
✓ jans-link Deploying Jetty Service
✓ jans-cli Installing Jans Cli
✓ post-setup Starting Jans Link
# Visit site with url given
## Accept the risk
## DO not need access from the web. It loops it internally. so all local w domain
##SSL Checker will show Public Key, No Trusted, Not self-signed, No chain. (3 XCs) rest ar checked.
### So no publoic acces , at least yet
… On Dec 19, 2023, at 10:37 AM, Michael Schwartz ***@***.***> wrote:
You are doing a VM installation? You installed as root? Please check /opt/jans/jetty/jans-auth/logs If there is nothing there, your install failed. Please report how you installed.
—
Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNIWN6MMXA6FT5UURLDYKHGFVAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMBQGM3TA>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
Hi, You are saying it's ubuntu 20, but You have downloaded Janssen server for ubuntu 22 distro. Please make sure you have installed the right version. |
Beta Was this translation helpful? Give feedback.
-
|
These are the pages I used to install/
https://docs.jans.io/v1.0.21/admin/install/vm-install/ubuntu/https://docs.jans.io/v1.0.21/admin/install/setup/
… On Dec 19, 2023, at 11:47 AM, Bain McKay ***@***.***> wrote:
Yes. DigitalOcean VM installation. Ubuntu 20.04
Here is the general installation process.
Not fully detailed and different domain. I've done a number of installations. I do not have an update installation, because it's not yet working.
[new VM Access]
## allow root login
sudo -i
passwd
nano /etc/ssh/sshd_config
#PermitrRootLogin prohibit-password PermitrRootLogin yes
nano ~/.ssh/authorized_keys
# add client public key
# /etc/host
nano /etc/hosts
# add 127.0.1.1 hostname hostname OR [FQDN] [FQDN]
ufw reset
ufw enable
ufw allow proto tcp from 127.0.0.1 to any port 60022
ufw allow proto tcp from 127.0.0.1 to any port 8073
ufw allow proto tcp from 127.0.0.1 to any port 8081
ufw allow proto tcp from 127.0.0.1 to any port 1636
ufw allow proto tcp from 127.0.0.1 to any port 4444
ufw allow proto tcp from 127.0.0.1 to any port 8086
ufw allow proto tcp from 127.0.0.1 to any port 8099
ufw allow proto tcp from 127.0.0.1 to any port 8087
ufw allow proto tcp from 127.0.0.1 to any port 8082
ufw allow proto tcp from any to any port 80
ufw allow proto tcp from any to any port 443
ufw allow proto tcp from any to any port 22
# ON MACOS HOST
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
#secure site
##Generate CSR
openssl req -new -newkey rsa:2048 -nodes -keyout kayviumdev.key -out kayviumdev.csr
# ELSE if Letsencrypt
#copy-past crt file contents into CSR request in namecheap for DCV
#scp ssl to site_certiificate/domane folder
#IF LOCALCLOUD: copy he DCV itno the site root folder in .wel-nown/pkivalidation:dcv.txt
# IF DIGITALOCEAN
## Edit the droplet domain A record to redirect to this IP
** nano /etc/hosts
### thisIP FQDN
#janssen project: installs apache and generates site adaptor.
#BATCH
wget https://github.com/JanssenProject/jans/files/11814522/automation-jans-public-gpg.zip
unzip automation-jans-public-gpg.zip
sudo gpg --import automation-jans-public-gpg.asc;
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb -P /tmp
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum -P /tmp
cd /tmp
sha256sum -c jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum
sudo apt install ./jans_1.0.20.ubuntu22.04_amd64.deb
sudo python3 /opt/jans/jans-setup/setup.py
# use hostname: do-gluu-jansen.kayviumdev.com
# use mysql for store, not openDJ
Janssen Server installation successful!
To manage your Janssen Identity Provider:
# use for initial onstall and for any changes in confit or componment dervices
/opt/jans/jans-cli/config-cli-tui.py
Pease remove the whole setup directory /opt/jans/jans-setup post-installation for a production deployment.
✓ jans Generating smtp keys
✓ jre Installing Jre
✓ jetty Installing Jetty
✓ jython Installing Jython
✓ rdbm-server Importing ldif files to mysql
✓ apache2 Configuring apache2
✓ jans-auth Generating OAuth openid keys
✓ jans-config-api Deploying Jetty Service
✓ jans-fido2 Deploying Jetty Service
✓ jans-scim Deploying Jetty Service
✓ jans-link Deploying Jetty Service
✓ jans-cli Installing Jans Cli
✓ post-setup Starting Jans Link
# Visit site with url given
## Accept the risk
## DO not need access from the web. It loops it internally. so all local w domain
##SSL Checker will show Public Key, No Trusted, Not self-signed, No chain. (3 XCs) rest ar checked.
### So no publoic acces , at least yet
> On Dec 19, 2023, at 10:37 AM, Michael Schwartz ***@***.***> wrote:
>
>
> You are doing a VM installation? You installed as root? Please check /opt/jans/jetty/jans-auth/logs If there is nothing there, your install failed. Please report how you installed.
>
> —
> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNIWN6MMXA6FT5UURLDYKHGFVAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMBQGM3TA>.
> You are receiving this because you authored the thread.
>
|
Beta Was this translation helpful? Give feedback.
-
|
Given the fit to config expectation, it might be how I implemented SSL certs.
I did not use LetsEncrypt. I used my own subdomain using Namecheap, which generates an SSL to the CSR from OpenSSL on the target server. I download the keys zip and map the SLL files on the targeted servers site adaptor for authentication in /etc/site_certificate/domainname/cert files. I have several web sites (50?) which I use this to authenticate. I appreciate Jansen I a nested approach so maybe something does not work above.
Bain
… On Dec 19, 2023, at 12:06 PM, Bain McKay ***@***.***> wrote:
These are the pages I used to install/
https://docs.jans.io/v1.0.21/admin/install/vm-install/ubuntu/https://docs.jans.io/v1.0.21/admin/install/setup/
> On Dec 19, 2023, at 11:47 AM, Bain McKay ***@***.***> wrote:
>
> Yes. DigitalOcean VM installation. Ubuntu 20.04
>
> Here is the general installation process.
> Not fully detailed and different domain. I've done a number of installations. I do not have an update installation, because it's not yet working.
>
>
>
> [new VM Access]
> ## allow root login
> sudo -i
> passwd
> nano /etc/ssh/sshd_config
> #PermitrRootLogin prohibit-password PermitrRootLogin yes
> nano ~/.ssh/authorized_keys
> # add client public key
>
> # /etc/host
> nano /etc/hosts
> # add 127.0.1.1 hostname hostname OR [FQDN] [FQDN]
>
>
> ufw reset
> ufw enable
> ufw allow proto tcp from 127.0.0.1 to any port 60022
> ufw allow proto tcp from 127.0.0.1 to any port 8073
> ufw allow proto tcp from 127.0.0.1 to any port 8081
> ufw allow proto tcp from 127.0.0.1 to any port 1636
> ufw allow proto tcp from 127.0.0.1 to any port 4444
> ufw allow proto tcp from 127.0.0.1 to any port 8086
> ufw allow proto tcp from 127.0.0.1 to any port 8099
> ufw allow proto tcp from 127.0.0.1 to any port 8087
> ufw allow proto tcp from 127.0.0.1 to any port 8082
> ufw allow proto tcp from any to any port 80
> ufw allow proto tcp from any to any port 443
> ufw allow proto tcp from any to any port 22
> # ON MACOS HOST
> sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
>
> #secure site
> ##Generate CSR
> openssl req -new -newkey rsa:2048 -nodes -keyout kayviumdev.key -out kayviumdev.csr
> # ELSE if Letsencrypt
>
> #copy-past crt file contents into CSR request in namecheap for DCV
> #scp ssl to site_certiificate/domane folder
> #IF LOCALCLOUD: copy he DCV itno the site root folder in .wel-nown/pkivalidation:dcv.txt
>
> # IF DIGITALOCEAN
> ## Edit the droplet domain A record to redirect to this IP
> ** nano /etc/hosts
> ### thisIP FQDN
>
>
> #janssen project: installs apache and generates site adaptor.
> #BATCH
> wget https://github.com/JanssenProject/jans/files/11814522/automation-jans-public-gpg.zip
> unzip automation-jans-public-gpg.zip
> sudo gpg --import automation-jans-public-gpg.asc;
> wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb -P /tmp
> wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum -P /tmp
> cd /tmp
> sha256sum -c jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum
> sudo apt install ./jans_1.0.20.ubuntu22.04_amd64.deb
>
> sudo python3 /opt/jans/jans-setup/setup.py
> # use hostname: do-gluu-jansen.kayviumdev.com
> # use mysql for store, not openDJ
> Janssen Server installation successful!
> To manage your Janssen Identity Provider:
> # use for initial onstall and for any changes in confit or componment dervices
> /opt/jans/jans-cli/config-cli-tui.py
>
> Pease remove the whole setup directory /opt/jans/jans-setup post-installation for a production deployment.
> ✓ jans Generating smtp keys
> ✓ jre Installing Jre
> ✓ jetty Installing Jetty
> ✓ jython Installing Jython
> ✓ rdbm-server Importing ldif files to mysql
> ✓ apache2 Configuring apache2
> ✓ jans-auth Generating OAuth openid keys
> ✓ jans-config-api Deploying Jetty Service
> ✓ jans-fido2 Deploying Jetty Service
> ✓ jans-scim Deploying Jetty Service
> ✓ jans-link Deploying Jetty Service
> ✓ jans-cli Installing Jans Cli
> ✓ post-setup Starting Jans Link
>
>
> # Visit site with url given
> ## Accept the risk
> ## DO not need access from the web. It loops it internally. so all local w domain
> ##SSL Checker will show Public Key, No Trusted, Not self-signed, No chain. (3 XCs) rest ar checked.
> ### So no publoic acces , at least yet
>
>> On Dec 19, 2023, at 10:37 AM, Michael Schwartz ***@***.***> wrote:
>>
>>
>> You are doing a VM installation? You installed as root? Please check /opt/jans/jetty/jans-auth/logs If there is nothing there, your install failed. Please report how you installed.
>>
>> —
>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNIWN6MMXA6FT5UURLDYKHGFVAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMBQGM3TA>.
>> You are receiving this because you authored the thread.
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
Wait, I see logs under Jetty now: 2023_12_13.jetty.log 2023_12_18.jetty.log jans-auth-2023-12-17-1.log jans-auth_persistence_ldap_statistics-2023-12-13-1.log jans-auth_script-2023-12-13-1.log ========================= jans-auth.log (last few lines)2023-12-19 19:59:56,703 INFO [ForkJoinPool.commonPool-worker-1] [io.jans.agama.timer.FlowRunsCleaner] (FlowRunsCleaner.java:65) - Flows cleaner timer has run. 0 runs removed |
Beta Was this translation helpful? Give feedback.
-
|
It would be great that's the issue.
Can I just upgrade Ubuntu to 22.04, or does it require a reinstallation?
Would there be value to the installer picking the right installer automatically?
Bain
… On Dec 20, 2023, at 6:07 AM, Mobarak Hosen Shakil ***@***.***> wrote:
Hi,
You are saying it's ubuntu 20, but You have downloaded Janssen server for ubuntu 22 distro. Please make sure you have installed the right version.
—
Reply to this email directly, view it on GitHub <#7115 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKW7XNSRQHTO67LACTYKLPIBAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMBYGEZDE>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
There is no upgrade process for Jans VM deployments, which are only for development purposes. All production deployments should use Kubernetes. |
Beta Was this translation helpful? Give feedback.
-
|
Weill do.
BTW, when through the jetty.log and this is the only error I could see. But I did not install Couchbase intentionally.
MissingDependenciesRegistry] (MissingDependenciesRegistry.java:46) - WELD-000119: Not generating any bean definitions from io.jans.orm.couchbase.impl.CouchbaseEntryManagerFactory because of underlying class loading error: Type com.couchbase.client.java.env.ClusterEnvironment not found. If this is unexpected, enable DEBUG logging to see the full error.
… On Dec 20, 2023, at 9:44 AM, Mostafejur Rahman ***@***.***> wrote:
How do you determine that I installed Janssen 22.04 in Ubuntu 20.04? (KC?)
See you have already shared in above
#janssen project: installs apache and generates site adaptor.
#BATCH
wget https://github.com/JanssenProject/jans/files/11814522/automation-jans-public-gpg.zip
unzip automation-jans-public-gpg.zip
sudo gpg --import automation-jans-public-gpg.asc;
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb -P /tmp
wget https://github.com/JanssenProject/jans/releases/download/v1.0.20/jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum -P /tmp
cd /tmp
sha256sum -c jans_1.0.20.ubuntu22.04_amd64.deb.sha256sum
sudo apt install ./jans_1.0.20.ubuntu22.04_amd64.deb
So we suggest you just re-install Jans for your appropriate OS.
—
Reply to this email directly, view it on GitHub <#7115 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNMCIABRPEWAMHXTT3LYKMIXBAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJQGMZDS>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
So it's not unexpected... ignore it. But you should enable DEBUG in Auth Server to get more details on the issue you are facing. |
Beta Was this translation helpful? Give feedback.
-
|
Great Thanks.
Reinstall with 20.04 installer.
No difference in behaviour. Still handing on Janssen access
* Clean 2023_12_20.jetty.log
… On Dec 20, 2023, at 10:23 AM, Michael Schwartz ***@***.***> wrote:
So it's not unexpected... ignore it.
—
Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKT43VE6BL6WOY2L5LYKMNHTAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJQGY3DA>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
Here is the URL generated to log into Janssen.
https://cekh-pp-main-wp.abraxasdev.com/jans-auth/restv1/authorize?response_type=code&scope=email%20profile%20openid&client_id=7092cab5-a883-4db4-b29f-387884460015&state=3cb682a4c4c53a1f804ae6a2f2cc4eb3&redirect_uri=https%3A%2F%2Fcekh-pp-main-wp.abraxasdev.com%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize
This works on GLUU 4.2.2.
It’;s hanging on Janssen.
Bain
… On Dec 20, 2023, at 10:47 AM, Bain McKay ***@***.***> wrote:
Great Thanks.
Reinstall with 20.04 installer.
No difference in behaviour. Still handing on Janssen access
* Clean 2023_12_20.jetty.log
> On Dec 20, 2023, at 10:23 AM, Michael Schwartz ***@***.***> wrote:
>
>
> So it's not unexpected... ignore it.
>
> —
> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKT43VE6BL6WOY2L5LYKMNHTAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJQGY3DA>.
> You are receiving this because you authored the thread.
>
|
Beta Was this translation helpful? Give feedback.
-
|
The curl on the API call below is hanging on TLSv1.3
***@***.***:/opt/jans/jetty/jans-auth/logs# curl -i -v -L https://cekh-pp-main-wp.abraxasdev.com/jans-auth/restv1/authorize?response_type=code&scope=email%20profile%20openid&client_id=7092cab5-a883-4db4-b29f-387884460015&state=c69d24d7c9fed61f9e07c6b86f1c4329&redirect_uri=https%3A%2F%2Fcekh-pp-main-wp.abraxasdev.com%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize
[1] 3123
[2] 3124
[3] 3125
[4] 3126
[2] Done scope=email%20profile%20openid
[3]- Done client_id=7092cab5-a883-4db4-b29f-387884460015
***@***.***:/opt/jans/jetty/jans-auth/logs# * Trying 159.203.18.121:443...
* TCP_NODELAY set
* Connected to cekh-pp-main-wp.abraxasdev.com (159.203.18.121) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=cekh-pp-main-md.abraxasdev.com
* start date: Dec 15 18:26:00 2023 GMT
* expire date: Mar 14 18:25:59 2024 GMT
* subjectAltName: host "cekh-pp-main-wp.abraxasdev.com" matched cert's "cekh-pp-main-wp.abraxasdev.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
GET /jans-auth/restv1/authorize?response_type=code HTTP/1.1
Host: cekh-pp-main-wp.abraxasdev.com
User-Agent: curl/7.68.0
Accept: */*
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
… On Dec 20, 2023, at 11:12 AM, Bain McKay ***@***.***> wrote:
Here is the URL generated to log into Janssen.
https://cekh-pp-main-wp.abraxasdev.com/jans-auth/restv1/authorize?response_type=code&scope=email%20profile%20openid&client_id=7092cab5-a883-4db4-b29f-387884460015&state=3cb682a4c4c53a1f804ae6a2f2cc4eb3&redirect_uri=https%3A%2F%2Fcekh-pp-main-wp.abraxasdev.com%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize
This works on GLUU 4.2.2.
It’;s hanging on Janssen.
Bain
> On Dec 20, 2023, at 10:47 AM, Bain McKay ***@***.***> wrote:
>
> Great Thanks.
>
> Reinstall with 20.04 installer.
>
> No difference in behaviour. Still handing on Janssen access
> * Clean 2023_12_20.jetty.log
>
>
>
>
>> On Dec 20, 2023, at 10:23 AM, Michael Schwartz ***@***.***> wrote:
>>
>>
>> So it's not unexpected... ignore it.
>>
>> —
>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKT43VE6BL6WOY2L5LYKMNHTAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJQGY3DA>.
>> You are receiving this because you authored the thread.
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
I think I need a custom oidc script, as specied in the Add Custom Script tutorial
https://docs.jans.io/v1.0.21/admin/recipes/inbound-oidc/#authentication-flow
I added [do-gluu.kayviumdev.com <http://do-gluu.kayviumdev.com/>] as external auth server and
/opt/oide.json
{
"op_server": "https://do-gluu.kayviumdev.com.server",
"client_id": “XXXXXXXXXXXXXXXXXXXXXXXX-external-oauth2",
"client_secret": “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-external-oauth2",
"authorization_uri": "https://do-gluu.kayviumdev.com.server/xx/xxxx",
"token_uri": "https://do-gluu.kayviumdev.com.server/oauth/xx/xxx",
"userinfo_uri": "https://do-gluu.kayviumdev.com.server/xxx/xxx",
"redirect_uri": "https://your.jans.server/jans-auth/postlogin.htm",
"scope": "openid profile email",
"auto_redirect": false,
"title": "Login with OAuth2"
}
So I created it, now I need to reference it in the custom script json. And then add it with the ads custom script CLI.
Am I on the right track?
… On Dec 20, 2023, at 11:21 AM, Bain McKay ***@***.***> wrote:
The curl on the API call below is hanging on TLSv1.3
***@***.***:/opt/jans/jetty/jans-auth/logs# curl -i -v -L https://cekh-pp-main-wp.abraxasdev.com/jans-auth/restv1/authorize?response_type=code&scope=email%20profile%20openid&client_id=7092cab5-a883-4db4-b29f-387884460015&state=c69d24d7c9fed61f9e07c6b86f1c4329&redirect_uri=https%3A%2F%2Fcekh-pp-main-wp.abraxasdev.com%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize
[1] 3123
[2] 3124
[3] 3125
[4] 3126
[2] Done scope=email%20profile%20openid
[3]- Done client_id=7092cab5-a883-4db4-b29f-387884460015
***@***.***:/opt/jans/jetty/jans-auth/logs# * Trying 159.203.18.121:443...
* TCP_NODELAY set
* Connected to cekh-pp-main-wp.abraxasdev.com (159.203.18.121) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=cekh-pp-main-md.abraxasdev.com
* start date: Dec 15 18:26:00 2023 GMT
* expire date: Mar 14 18:25:59 2024 GMT
* subjectAltName: host "cekh-pp-main-wp.abraxasdev.com" matched cert's "cekh-pp-main-wp.abraxasdev.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /jans-auth/restv1/authorize?response_type=code HTTP/1.1
> Host: cekh-pp-main-wp.abraxasdev.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
> On Dec 20, 2023, at 11:12 AM, Bain McKay ***@***.***> wrote:
>
> Here is the URL generated to log into Janssen.
>
> https://cekh-pp-main-wp.abraxasdev.com/jans-auth/restv1/authorize?response_type=code&scope=email%20profile%20openid&client_id=7092cab5-a883-4db4-b29f-387884460015&state=3cb682a4c4c53a1f804ae6a2f2cc4eb3&redirect_uri=https%3A%2F%2Fcekh-pp-main-wp.abraxasdev.com%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize
>
> This works on GLUU 4.2.2.
>
> It’;s hanging on Janssen.
>
>
> Bain
>
>
>> On Dec 20, 2023, at 10:47 AM, Bain McKay ***@***.***> wrote:
>>
>> Great Thanks.
>>
>> Reinstall with 20.04 installer.
>>
>> No difference in behaviour. Still handing on Janssen access
>> * Clean 2023_12_20.jetty.log
>>
>>
>>
>>
>>> On Dec 20, 2023, at 10:23 AM, Michael Schwartz ***@***.***> wrote:
>>>
>>>
>>> So it's not unexpected... ignore it.
>>>
>>> —
>>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKT43VE6BL6WOY2L5LYKMNHTAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJQGY3DA>.
>>> You are receiving this because you authored the thread.
>>>
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
Is this related to MTLS? |
Beta Was this translation helpful? Give feedback.
-
|
I turned off Mutual Trust. I can work with or without it. It’s just a True/False declaration in the Site-adaptor Reverse-Proxy.
… On Dec 20, 2023, at 12:36 PM, Michael Schwartz ***@***.***> wrote:
Is this related to MTLS?
—
Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNPEHIVHAZMX2SFBZEDYKM43FAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJRGY4DM>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
I am at this screen (screenshot below) , in which I need to add the template Json model which I download and in which I reference /opt/oidc.json file below

… On Dec 20, 2023, at 12:43 PM, Bain McKay ***@***.***> wrote:
I turned off Mutual Trust. I can work with or without it. It’s just a True/False declaration in the Site-adaptor Reverse-Proxy.
> On Dec 20, 2023, at 12:36 PM, Michael Schwartz ***@***.***> wrote:
>
>
> Is this related to MTLS?
>
> —
> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNPEHIVHAZMX2SFBZEDYKM43FAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJRGY4DM>.
> You are receiving this because you authored the thread.
>
|
Beta Was this translation helpful? Give feedback.
-
|
I'm working through the [Inbound OpenId-Connect Authentication Tutorial].
I am trying to figure out why I am hanging in accessing the Janssen Server Login page. No errors. Everything looks good. I believe it’s a config I haven’t yet considered.
The RP: Relying party, in this case, is Wordpress - OIDC client?
When I accesses GLUU 4.2.2 through oxauth, no issues. But it’s hanging on Janssen access.
So when we say [External OAuth2 Server] , are we referring to Janssen, or an external social network authentication server?
… On Dec 20, 2023, at 12:47 PM, Bain McKay ***@***.***> wrote:
I am at this screen (screenshot below) , in which I need to add the template Json model which I download and in which I reference /opt/oidc.json file below
<PastedGraphic-1.png>
> On Dec 20, 2023, at 12:43 PM, Bain McKay ***@***.***> wrote:
>
> I turned off Mutual Trust. I can work with or without it. It’s just a True/False declaration in the Site-adaptor Reverse-Proxy.
>
>
>
>
>
>> On Dec 20, 2023, at 12:36 PM, Michael Schwartz ***@***.***> wrote:
>>
>>
>> Is this related to MTLS?
>>
>> —
>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNPEHIVHAZMX2SFBZEDYKM43FAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJRGY4DM>.
>> You are receiving this because you authored the thread.
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
On executing the CLI to add the custom script, I get this error
***@***.***:/opt# /opt/jans/jans-cli/config-cli.py --operation-id post-config-scripts --data /tmp/cs.json
Server Response:
{
"server_error": "com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `io.jans.model.ProgrammingLanguage` from String "JYTHON": not one of the values accepted for Enum class: [java, python]\n at [Source: (org.eclipse.jetty.server.HttpInput); line: 1, column: 14046] (through reference chain: io.jans.model.custom.script.model.CustomScript["programmingLanguage"])"
}
… On Dec 20, 2023, at 1:21 PM, Bain McKay ***@***.***> wrote:
I'm working through the [Inbound OpenId-Connect Authentication Tutorial].
I am trying to figure out why I am hanging in accessing the Janssen Server Login page. No errors. Everything looks good. I believe it’s a config I haven’t yet considered.
The RP: Relying party, in this case, is Wordpress - OIDC client?
When I accesses GLUU 4.2.2 through oxauth, no issues. But it’s hanging on Janssen access.
So when we say [External OAuth2 Server] , are we referring to Janssen, or an external social network authentication server?
> On Dec 20, 2023, at 12:47 PM, Bain McKay ***@***.***> wrote:
>
> I am at this screen (screenshot below) , in which I need to add the template Json model which I download and in which I reference /opt/oidc.json file below
>
> <PastedGraphic-1.png>
>
>> On Dec 20, 2023, at 12:43 PM, Bain McKay ***@***.***> wrote:
>>
>> I turned off Mutual Trust. I can work with or without it. It’s just a True/False declaration in the Site-adaptor Reverse-Proxy.
>>
>>
>>
>>
>>
>>> On Dec 20, 2023, at 12:36 PM, Michael Schwartz ***@***.***> wrote:
>>>
>>>
>>> Is this related to MTLS?
>>>
>>> —
>>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNPEHIVHAZMX2SFBZEDYKM43FAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJRGY4DM>.
>>> You are receiving this because you authored the thread.
>>>
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
I have discovered that [arc-values_supported], does not include [oidc]. Perhaps because of the previous error. But there was a problem with oidc, which could explain the hanging.

… On Dec 20, 2023, at 1:21 PM, Bain McKay ***@***.***> wrote:
I'm working through the [Inbound OpenId-Connec
|
Beta Was this translation helpful? Give feedback.
-
|
OIDC is not an acr... |
Beta Was this translation helpful? Give feedback.
-
|
Is it possibly missing a dependency?
"server_error": "com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `io.jans.model.ProgrammingLanguage` from String "JYTHON": not one of the values accepted for Enum class: [java, python]\n at [Source: (org.eclipse.jetty.server.HttpInput); line: 1, column: 14046] (through reference chain: io.jans.model.custom.script.model.CustomScript["programmingLanguage"])"
}
… On Dec 20, 2023, at 1:21 PM, Bain McKay ***@***.***> wrote:
I'm working through the [Inbound OpenId-Connect Authentication Tutorial].
I am trying to figure out why I am hanging in accessing the Janssen Server Login page. No errors. Everything looks good. I believe it’s a config I haven’t yet considered.
The RP: Relying party, in this case, is Wordpress - OIDC client?
When I accesses GLUU 4.2.2 through oxauth, no issues. But it’s hanging on Janssen access.
So when we say [External OAuth2 Server] , are we referring to Janssen, or an external social network authentication server?
> On Dec 20, 2023, at 12:47 PM, Bain McKay ***@***.***> wrote:
>
> I am at this screen (screenshot below) , in which I need to add the template Json model which I download and in which I reference /opt/oidc.json file below
>
> <PastedGraphic-1.png>
>
>> On Dec 20, 2023, at 12:43 PM, Bain McKay ***@***.***> wrote:
>>
>> I turned off Mutual Trust. I can work with or without it. It’s just a True/False declaration in the Site-adaptor Reverse-Proxy.
>>
>>
>>
>>
>>
>>> On Dec 20, 2023, at 12:36 PM, Michael Schwartz ***@***.***> wrote:
>>>
>>>
>>> Is this related to MTLS?
>>>
>>> —
>>> Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNPEHIVHAZMX2SFBZEDYKM43FAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJRGY4DM>.
>>> You are receiving this because you authored the thread.
>>>
>>
>
|
Beta Was this translation helpful? Give feedback.
-
|
I'm sorry, if this discussion is not about MTLS. during DCR, I'm not sure what your goal is. |
Beta Was this translation helpful? Give feedback.
-
|
I just trying to get Janssen working. I’m hanging.I don't know why.
It works in GLUU 4.2.2. I just need the equivalent.
… On Dec 20, 2023, at 2:52 PM, Michael Schwartz ***@***.***> wrote:
I'm sorry, if this discussion is not about MTLS. during DCR, I'm not sure what your goal is.
—
Reply to this email directly, view it on GitHub <#7115 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AARINNKOBUJHJBORQUN2CHLYKNMYHAVCNFSM6AAAAABAXEDPI6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TSMJSGU3DA>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
Getting this error:
All configurations (appear ) correct. The system health is good. I completed all the properties I could in mapping from GLUU to Janssen. The properties are not in the same objects, so this needs to be pieced together and there is no guidance yet on cross mapping. I am missing two properties in GLUU that I could not find in Janssen to map them.
preauthorizationpersistent client authorizationThese may matter. I don't know.
We are mapping Janssen as SSO IDS to Wordpress, with synchronized users, so that the Wordpress user base is CRUD-synchronized in real time with Roles and Claims as a slave to Janssen as master. All that is in place, and looks good, except for the 2 missing properties. I am running into the above error, and I can't yet find a way to break through.
Any guidance appreciated.
Beta Was this translation helpful? Give feedback.
All reactions