Hue OIDC auth redirect uri issue

Developer: SDK, API
#1

Hello,

I am currently trying to integrate an OIDC authentication backend for Hue (image : 4.7.0) that interacts with our in house SSO client that provides tokens to the Hue application.

Hue is able to navigate to the oidc_op_authorization_endpoint for my configured value but i see its not taking the redirect login url which am passing. I narrowed down that it seems to be failing due to the redirect uri defaulting to localhost, the authentication api fails saying invalid uri. I defined a login_redirect_url, like the example in hue.ini as seen below.

Please kindly suggest how to override this value.

FYI : We are using official hue helm chart which comes with default nginx (we aren’t modifying any configs for nginx). However we have an ingress config for default url which is also mentioned below.

[[oidc]]
  # The client ID as relay party set in OpenID provider
  oidc_rp_client_id=hue-auth

  # The client secret as relay party set in OpenID provider
  oidc_rp_client_secret=*****tSOdhkYDlxSOqelxfpQcxQX

  # The OpenID provider authoriation endpoint
  ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
  oidc_op_authorization_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/auth

  # The OpenID provider token endpoint
  oidc_op_token_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/token

  # The OpenID provider user info endpoint
  oidc_op_user_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/userinfo

  # The OpenID provider signing key in PEM or DER format
  ## oidc_rp_idp_sign_key=/path/to/key_file

  # The OpenID provider authoriation endpoint
  oidc_op_jwks_endpoint=https://flying-kraken.id3.uat.cloud.***.net/api/v1/domains/***/openid-connect/certs

  # Whether Hue as OpenID Connect client verify SSL cert
  oidc_verify_ssl=false

  # As relay party Hue URL path to redirect to after login

  login_redirect_url=https://hue-pras0004.use.eks.arch.sip.dev.cloud.***.net/oidc/callback/

  # The OpenID provider URL path to redirect to after logout
  logout_redirect_url=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/**/openid-connect/logout

  # As relay party Hue URL path to redirect to after login
  login_redirect_url_failure=https://hue-pras0004.use.eks.arch.sip.dev.cloud.**.net/hue/oidc_failed/

  # Create a new user from OpenID Connect on login if it doesn't exist
  create_users_on_login=true

Screenshot 2022-12-15 at 2.11.22 PM
Screenshot 2022-12-15 at 2.11.22 PM2234×1800 187 KB
!

#2

Screenshot 2022-12-15 at 2.15.23 PM
As seen in the above image. The redirect uri is taking the default localhost value and not taking the overridden value. I tried even setting the yarn -> proxy url but that didn’t work as well.

#3

Thanks. I was ablw to solve this with below config changes in the ini file.

    [desktop]
       redirect_whitelist="^\/.*$,^<Your SSO redirect base url>\/.*$"

     [[auth]]
      behind_reverse_proxy=true
      reverse_proxy_header=HTTP_X_FORWARDED_FOR

    [proxy]
      # Comma-separated list of regular expressions,
      # which match 'host:port' of requested proxy target.
      whitelist=<base url>

    [[yarn_clusters]]
      [[[default]]]
      # Enter the host on which you are running the ResourceManager
      ## resourcemanager_host=localhost

      # The port where the ResourceManager IPC listens on
      ## resourcemanager_port=8032

      # URL of the ResourceManager API
      resourcemanager_api_url=<base url>

      # URL of the ProxyServer API
      proxy_api_url=<base url>
#4

hi Prabhu,
I am done with all changes in hue [oidc] connection as you mentioned but getting redirect uri issue.
redirect_whitelist="^/.$,^/.$"
not getting that which url we have to pass in aboe can you please give any example also for [yarn cluster] settings?
please help me with this.

Thanks,
Sanju

#5

Hi Sanju,

Please note the below steps in-order to integrate OIDC auth with Hue.

  1. Add the Client-cert.pem, private.key, idp-metadata.xml into your hue pod (path : /usr/share/hue/). If you are running inside a docker, you can add these to your DockerFile.

  2. We are using saml , so added djangosaml2 and pysaml2 into the docker via pip.

  3. Make the below changes to your ini file :

    ini: |
    [desktop]
    use_x_forwarded_host=true
    secure_proxy_ssl_header=true
    redirect_whitelist="^/.$,^https:///.$"
    [[task_server]]
    enabled=false

    [[auth]]
    idle_session_timeout=-1
    backend=desktop.auth.backend.AllowFirstUserDjangoBackend,libsaml.backend.SAML2Backend
    behind_reverse_proxy=true
    reverse_proxy_header=HTTP_X_FORWARDED_FOR

    [libsaml]
    xmlsec_binary=/usr/bin/xmlsec1
    metadata_file=/usr/share/hue/idp-metadata.xml
    key_file=/usr/share/hue/private.key
    cert_file=/usr/share/hue/client-cert.pem
    username_source=nameid
    name_id_format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
    logout_enabled=true
    authn_requests_signed=true
    want_response_signed=true
    want_assertions_signed=true
    logout_requests_signed=true
    create_users_on_login=true