auth0.com with FMS 19 on centos

[Esaïe PA Bergier]

Hi

It's my first message here, generally I post in French on fmsource.com but nobody has any experience on this subject.

Until now, I have a server on MacOS and I use a LDAP on a Synology for the authentification.

Now I want to migrate (when the final version will be there) to the new version on Centos. 

First I tried to connect the server on LDAP with no success. So I searched an other way and find the white paper about other OAuth provider https://www.soliantconsulting.com/blog/oauth-providers-filemaker-apps/

I chose Auth0.com because they have a free offer up to 7000 users and it is easily synchronizable with my ldap server. But the white paper, although it says it works with Auth0, details another provider (Okta).

So something don't work on my setup, I have the "Microsoft" button but after I receive the code back. I have the message "authentication failed" 🤔

so I am blocked

Thanks in advance for the help

Esaïe

[Wim Decorte]

Are you using the preview build of FMS CentOS? If so what is the exact build number?

If not, what version of FMS are you using and on what platform?

From your description it seems like you actually get to Auth0 after you click the MS button and you successfully authenticate there, but the redirect doesn't work?

Have you tested your setup with something like https://oidcdebugger.com/ and Postman for the 2nd leg of the OAuth?

Are you attempting group-based auth or individual account auth?

The white papers that you'll find here written by Steven Blackwell and myself explain how to use those tools and what to check for in the id_token that you get back from Auth0.

 

Let us know and we should be able to get you all the way there.

 

Also, you could consider using something like Red Hat's Keycloak and install it on-prem and let it be the broker to your LDAP server.  That way you wouldn't need to sync anything and you can keep it all in-house.

[Esaïe PA Bergier]

3 hours ago, Wim Decorte said:

Are you using the preview build of FMS CentOS? If so what is the exact build number?

19.1.1.39, I think it's the latest.

3 hours ago, Wim Decorte said:

From your description it seems like you actually get to Auth0 after you click the MS button and you successfully authenticate there, but the redirect doesn't work?

right

3 hours ago, Wim Decorte said:

Have you tested your setup with something like https://oidcdebugger.com/ and Postman for the 2nd leg of the OAuth?

I tried, but I'm not sure how to interpret the result 

 

4 hours ago, Wim Decorte said:

Are you attempting group-based auth or individual account auth?

group based but I tried to my account too

4 hours ago, Wim Decorte said:

Also, you could consider using something like Red Hat's Keycloak and install it on-prem and let it be the broker to your LDAP server.  That way you wouldn't need to sync anything and you can keep it all in-house.

It could be good, but maybe in a second step. 😅

thank you for trying to help me  

[Wim Decorte]

Late in the day here so I'll reply in full tomorrow.

But I don't believe that early build of FMS Linux supported external authentication of any kind.  I'll try tomorrow with a later build.

It should work just fine with the current versions of FMS17, 18 and 19 on macOS or Windows if you want to set it up there and not wait for when the Linux version gets released.

[Wim Decorte]

Yep, that old preview version of FMS Linux did not support External Authentication:

 

If you are in the ETS beta testing program you should have access to a more recent version that does.

If you are in ETS, ping me in the ETS group on community.claris.com and I can help you set it up for Auth0.

If you are not then we should pick either Windows or macOS to help you set this up.

Let us know.

[Wim Decorte]

One of the main things to keep in mind about Auth0 is that they insist on namespacing the groups claim.  When you inspect the id_token they return you'll see this (line 2)

 

 

So you have to adjust your changes in the FMS dbs_config.xml file accordingly.  FMS typically just expects 'groups' as the key name for the array of groups.

[Esaïe PA Bergier]

*******, no I don't have access to more recent version. Only the developer preview. I will try to apply.

So if I understand right, it's normal that LDAP don't work too. 

I tried to do the configuration under macOS, but I'm in version 17 (I have to buy the new version of MBS to be able to update).

my dbs_config file:

Quote

<keys name="oAuthProviders">
    <keys name="Microsoft">
      <key name="AuthCodeEndpoint" type="string">dev-esaeberg.eu.auth0.com/authorize</key>
      <key name="AuthType" type="integer">2</key>
      <key name="ClientID" type="string">-------------</key>
      <key name="ClientSecret" type="string">---------</key>
      <key name="EncryptedClientSecret" type="integer">1</key>
      <key name="OAuthGroupScheme" type="string">groups</key>
      <key name="OAuthIDName" type="string">nickname</key>
      <key name="OIDCEnabled" type="integer">1</key>
      <key name="OIDCIssuer" type="string"/>
      <key name="ProfileEndpoint" type="string"/>
      <key name="Provider" type="string">Microsoft</key>
      <key name="ProviderEnabled" type="integer">1</key>
      <key name="ProviderID" type="integer">4</key>
      <key name="ResponseType" type="string">code</key>
      <key name="Scope" type="string">openid email groups</key>
      <key name="TokenEndpoint" type="string">https://dev-esaeberg.eu.auth0.com/oauth/token</key>
    </keys>
  </keys>

I tried with <key name="OAuthGroupScheme" type="string">http://ets/claims/groups</key> too

so, when I try the authentification, I have the redirect page who stay open and white :

Quote

https://myadresse.com/oauth/redirect?code=5kbj21v6pyTwOjhP&state=WC1GTVMtUmVxdWVzdC1JRD1FRTM5RUU0NjZDNjhBQUM1NkJBMTdGRTY2M0VEMkNDOQ%3D%3D.WC1GTVMtT0FVVEgtUHJvdmlkZXI9QXV0aDA%3D.WC1GTVMtUmVkaXJlY3QtVVJMPWh0dHBzOi8vZm1zLmVlcnYtbGVtb250LmNoL29hdXRoL3JlZGlyZWN0.WC1GTVMtT0F1dGgtQXV0aFR5cGU9Mg%3D%3D.

no failed message on the authentification web direct page like with centos version.

About Postman, I put the result in jwt but I revise only openid and email, not groups as asked in scope . And my ID is in a special format ""sub": "ad|MyApplicationName|MyID" 

 

[Wim Decorte]

33 minutes ago, Esaïe PA Bergier said:

About Postman, I put the result in jwt but I revise only openid and email, not groups as asked in scope

If you have asked for groups in the scope then it looks like your app on the Auth0 side is not configured to return groups.

 

33 minutes ago, Esaïe PA Bergier said:

tried with <key name="OAuthGroupScheme" type="string">http://ets/claims/groups</key> too

That particular string is only valid for my Auth0 app; you have to configure yours on the Auth0 app side and then use it in your dbs_config.xml file

Just verified that with the latest ETS build of FMS Linux, that Auth0 authentication works, just like with the current Windows and macOS servers.

It should work on your FMS17 box too once you have made the final tweaks on the Auth0 side of things.

Edited September 24, 2020 by Wim Decorte

[Esaïe PA Bergier]

Hi Wim

I put everything on hold for a while. I went back to doing some tests a week ago.

I tried now with Keycloak with your instruction (OAuth_Addendum3_SecurityKeys.pdf) . 

but it doesn't work, always it have a "authentification failed" 

I tried with the oidcdebugger.com, I can have a code but when I go in postman, it say <<"error": "unknown_error">> and when I try again <<error": "invalid_grant",
    "error_description": "Code not valid">>

So maybe the best thing to do would be to hire you to fix this problem.

[Wim Decorte]

The postman failure indicates that the backend is not set up correctly.  Which provider would you want to get working? Auth0 or KeyCloak?

 

[Esaïe PA Bergier]

KeyCloak, it's better to keep personal data inside 

[Esaïe PA Bergier]

58 minutes ago, Wim Decorte said:

The postman failure indicates that the backend is not set up correctly.

I can imagine that it's a question of configuration. but I only made the settings explained in your guide. I even started the installation completely over twice. 

[Esaïe PA Bergier]

it was not the backend who was not set up correctly, it was the web proxy ...

so now, I can login, it's work but : 

I had to play around to get the username in filemaker! 

I had to disable the email in the token and create a new "Client Scope" for the username which is named "email" in the token. The OAuthIDName value in the dbs_config.xml file is useless

[ggt667]

Did you see the recording named something like `d20 Wim Decorte - SSO with keycloak Clip` Not sure if this is still valid for FM19S thought, the video is on FM18S IIRC.

[Dan Rosenstein]

Referencing the original post here.

I am trying to set up Auto0 to authenticate with FMS 19.2.1 (Windows Server).

Got to the point where it the logs on Auth0 show successful login and FMS says 'Authentication Failed'.

So I assume it's because the claims aren't set up properly (email probably) - not quite clear how to achieve that with Auth0.

Second issue is groups - having tried to figure this out I came across this thread:

https://community.auth0.com/t/how-do-you-manage-user-groups/35897/7

I'm wondering if the group feature is not available anymore (or only in beta now).

At this point I'll be satisfied with getting single user log in working.

I think my FMS config file is okay but probably missing some bit on Auth0.

 

the 'Authentication Failed' web page  is in the format of https://myserver/oauth/redirect?code=xxxxxxx&state=xxxxxxxx

it asks permission to open FMP and then shows the error on FMP.

 

FMS logs show nothing.

 

Any pointers would be appreciated....

[ggt667]

Sounds to me like you have mapped the group in your settings wrongly, or not at all. Did you follow the steps in the video I mentioned above?

Edited August 17, 2021 by ggt667

[Dan Rosenstein]

Couldn't find that video, only Wim's session from 3 years ago.

In any case isn't that about Keycloak? seems my issue relates to Auth0 configuration specifics.

I think my FMS settings are correct.

[ggt667]

On 2/13/2021 at 1:30 PM, Esaïe PA Bergier said:

KeyCloak, it's better to keep personal data inside 

Submitting my latter success story here for reference: https://gist.github.com/TyrfingMjolnir/d99226078f76cd4760114ff223fbc702 Joyent SmartOS native zone w/KeyCloak.

[Dan Rosenstein]

Thanks for sharing.

Unfortunately I have other reasons why I would prefer to use Auth0.

[ggt667]

I do not know auth0, I proxy M$, Google, and Apple through my own KeyCloak configuration.

Is Auht0 on the same level as KeyCloak? Or the FAANG level I just mentioned?

Edited August 17, 2021 by ggt667

[Dan Rosenstein]

It's a cloud service like OKTA - not on the LAN level (if that's the question).

[ggt667]

1 hour ago, Dan Rosenstein said:

It's a cloud service like OKTA - not on the LAN level (if that's the question).

How would you let anyone with a cloud.com or gmail.com email address use your OKTA?

[Dan Rosenstein]

Not sure, but it's not my intention. I want to use it to authenticate FM and another web service that can authenticate with Auth0.