Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-92575

User can't login on Liferay when OpenID Connect integration parameters are configured manually

    Details

      Description

      Solution Notes

      "ID Token Signing Algorithm" (idTokenSigningAlgValues) option has been added to the "OpenID Connect Provider" (com.liferay.portal.security.sso.openid.connect.internal.configuration.OpenIdConnectProviderConfiguration) System Settings interface. Defaults to "RS256".


      Steps to reproduce

      1. Enable OpenID Connect authentication: https://dev.liferay.com/discover/deployment/-/knowledge_base/7-1/authenticating-with-openid-connect
      2. Set up Liferay to use an OpenID Connect provider without using a discover endpoint;
        1. You can use the Google Provider as an example, just follow https://grow.liferay.com/share/OpenID+Connect+in+7.1+Skill+Map#Add-Google-as-OpenID-Connect-Provider-to-DXP (use the .config file attached to the page and remove the endpoint from the settings)
      3. Log in with a valid user;

      Expected behavior
      The user will log in

      Current behavior

      The user won't log in and the client will be redirected to an Internal Server Error page. The following stacktrace can be seen in the logs

      2019-03-22 20:37:02.814 ERROR [http-nio-8080-exec-5][OpenIdConnectFilter:132] Unable to process the OpenID login
      com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to instantiate token validator
      	at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:608)
      	at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestTokens(OpenIdConnectServiceHandlerImpl.java:515)
      	at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestIdToken(OpenIdConnectServiceHandlerImpl.java:461)
      	at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.processAuthenticationResponse(OpenIdConnectServiceHandlerImpl.java:163)
      	at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processAuthenticationResponse(OpenIdConnectFilter.java:109)
      	at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:147)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
      	at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:178)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
      	at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
      	at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:101)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: com.nimbusds.oauth2.sdk.GeneralException: Missing OpenID Provider id_token_signing_alg_values_supported parameter
      	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.createJWSKeySelector(IDTokenValidator.java:368)
      	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.create(IDTokenValidator.java:473)
      	at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:600)
      	... 60 more
      

      Reproduced on

      master GITID 567e23321feecad930f68742b6296b823e29714d
      7.1.x GITDĀ ed2e98e2d57bba728d34dbe7a5820bb52174424d

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  31 weeks, 3 days ago

                  Packages

                  Version Package
                  7.0.0 DXP FP82
                  7.0.X
                  7.1.3 CE GA4
                  7.1.10 DXP FP11
                  7.1.X
                  Master