OpenIDConnect: Need UserLogin or UserID!

Ansicht von 0 Antwort-Themen

Autor

Beiträge
- 22. Mai 2024 um 11:46 Uhr - Views: 331 #30802
  P R
  Teilnehmer
  Nach einer Test Installation von Otobo 10.1 als Docker Container installiere ich Otobo 11.0 gerade klassisch mit Apache2.
  
  Bei der Testinstallation hatte ich SSO für Agenten und Kunden schon erfolgreich eingerichtet und diese Konfiguration wollte ich jetzt für die neue Installation übernehmen, leider bekomme in den Fehler [Error][Kernel::System::User::UserLookup][961] Need UserLogin or UserID! in otobo.log. Und Ungültige Antwort vom Authentifizierungsserver. Möglicherweise kam es zum Timeout. Bitte versuchen Sie es noch einmal. während der Anmeldung. Hat sich da bei Otobo 11.0 was geändert? In der Defaults.pm konnte ich keine Änderungen feststellen.
  
  Hier meine Konfiguration: (IDs und URLs wurden geändert)
  
  # AgentUser
  
  # This is an example configuration for authorization via OpenIDConnect
  # see https://openid.net/specs/openid-connect-core-1_0.html
  $Self->{AuthModule} = 'Kernel::System::Auth::OpenIDConnect';
  # Define the authentication flow, currently supported are the authorization code flow...
  # $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'code' ];
  # ...and the implicit flow (choose one - currently no hybrid flow is implemented)
  $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'id_token' ];
  # Define the additional scope (openid is added automatically and does not need to be
  # defined here). Make sure to add everything you want to interpret later.
  $Self->{'AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [
  qw/profile email/
  ];
  # Set the ClientID and Redirect URI exactly as defined on the authorization server
  # for the latter the Action must be "Login"
  $Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
  ClientID => 'xxx',
  RedirectURI => 'https://xxx.de/otobo/index.pl?Action=Login',
  };
  # For the authorization code flow the client secret has to be provided
  $Self->{'AuthModule::OpenIDConnect::Config'}{ClientSettings}{ClientSecret} = 'xxx';
  # Provide the URL of the well-known openid-configuration of the OpenID provider
  $Self->{'AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
  OpenIDConfiguration => 'https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration',
  # TTL => 60 * 30, # optional: time period the extracted openid-configuration is cached
  # Name => 'Intern4', # optional: necessary only if one needs to differentiate between User and CustomerUser configuration e.g.
  # SSLOptions => { # if special ssl options are needed; SSLVerifyHostname => 0 is also possible but should only be used for testing purposes
  # SSLCertificate => 'SSL_cert_file', # client certificate
  # SSLKey => 'SSL_key_file', # client cert key
  # SSLPassword => 'SSL_passwd_cb', # password for client cert key
  # SSLCAFile => 'SSL_ca_file', # CA certificate
  # SSLCADir => 'SSL_ca_path', # CA cert directory
  # },
  };
  # Set the token claim to be used as identifier
  $Self->{'AuthModule::OpenIDConnect::UID'} = 'email';
  # Some optional additional settings
  $Self->{'AuthModule::OpenIDConnect::Config'}{Misc} = {
  UseNonce => 1, # add a nonce to request and token (this is primarily important for the implicit flow where it is enabled by default)
  RandLength => 22, # length for state and nonce random strings - default: 22
  RandTTL => 60 * 5, # valid time period for state and nonce (roughly the time a user can take to authenticate) - default: 300 s
  Leeway => 2, # leeway for small time differences between the OTOBO server and the OpenID provier - default: 2 s
  };
  # Optionally enable user authorization via the id token - hashes can be used for complex claims
  $Self->{'AuthModule::OpenIDConnect::RoleMap'} = {
  roles => {
  Administrator => 'Administrator',
  Agent => 'Agent',
  # },
  # TokenAttribute2 => {
  # abc123 => {
  # TokenRole1 => 'OTOBORole1',
  # TokenRole3 => 'OTOBORole3',
  # }
  },
  };
  # Optionally enable user creation - this currently does not support complex claims; email is mandatory
  $Self->{'AuthModule::OpenIDConnect::UserMap'} = {
  email => 'UserEmail',
  given_name => 'UserFirstname',
  family_name => 'UserLastname',
  };
  # For debugging purposes and to help with building the RoleMap e.g. you can dump all IDTokens received to the log
  $Self->{'AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;
  
  # CustomerUser
  
  # This is an example configuration for authorization via OpenIDConnect
  # see https://openid.net/specs/openid-connect-core-1_0.html
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::OpenIDConnect';
  # Define the authentication flow, currently supported are the authorization code flow...
  # $Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'code' ];
  # ...and the implicit flow (choose one - currently no hybrid flow is implemented)
  $Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{ResponseType} = [ 'id_token' ];
  # Define the additional scope (openid is added automatically and does not need to be
  # defined here). Make sure to add everything you want to interpret later.
  $Self->{'Customer::AuthModule::OpenIDConnect::AuthRequest'}->{AdditionalScope} = [
  qw/profile email/
  ];
  # Set the ClientID and Redirect URI exactly as defined on the authorization server
  # for the latter the Action must be "Login"
  $Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ClientSettings} = {
  ClientID => 'xxx',
  RedirectURI => 'https://xxx.de/otobo/customer.pl?Action=Login',
  };
  # For the authorization code flow the client secret has to be provided
  $Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ClientSettings}{ClientSecret} = 'xxx';
  # Provide the URL of the well-known openid-configuration of the OpenID provider
  $Self->{'Customer::AuthModule::OpenIDConnect::Config'}{ProviderSettings} = {
  OpenIDConfiguration => 'https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration',
  # TTL => 60 * 30, # optional: time period the extracted openid-configuration is cached
  # Name => 'Intern4', # optional: necessary only if one needs to differentiate between User and CustomerUser configuration e.g.
  # SSLOptions => { # if special ssl options are needed; SSLVerifyHostname => 0 is also possible but should only be used for testing purposes
  # SSLCertificate => 'SSL_cert_file', # client certificate
  # SSLKey => 'SSL_key_file', # client cert key
  # SSLPassword => 'SSL_passwd_cb', # password for client cert key
  # SSLCAFile => 'SSL_ca_file', # CA certificate
  # SSLCADir => 'SSL_ca_path', # CA cert directory
  # },
  };
  # Set the token claim to be used as identifier#
  $Self->{'Customer::AuthModule::OpenIDConnect::UID'} = 'email';
  # Some optional additional settings
  $Self->{'Customer::AuthModule::OpenIDConnect::Config'}{Misc} = {
  UseNonce => 1, # add a nonce to request and token (this is primarily important for the implicit flow where it is enabled by default)
  RandLength => 22, # length for state and nonce random strings - default: 22
  RandTTL => 60 * 5, # valid time period for state and nonce (roughly the time a user can take to authenticate) - default: 300 s
  Leeway => 2, # leeway for small time differences between the OTOBO server and the OpenID provier - default: 2 s
  };
  # For debugging purposes you can dump all IDTokens received to the log
  $Self->{'Customer::AuthModule::OpenIDConnect::Debug'}->{'LogIDToken'} = 1;
Autor

Beiträge

Ansicht von 0 Antwort-Themen

Du musst angemeldet sein, um auf dieses Thema antworten zu können.

Unternehmen

Software

Services

Community