MozDef OIDC Question

(Nikkeh) #1

Trying to spin up MozDef in AWS to take it for a spin, however i’ve hit a bit of a snag on what MozDef is expecting for the redirect URI from my OIDC setup. Also what underlying OIDC library is mozdef using? Tried to creep through the github for an answer and no luck. (but i probably overlooked it…)

0 Likes

(Gene Wood) #2

Trying to spin up MozDef in AWS to take it for a spin, however i’ve hit a bit of a snag on what MozDef is expecting for the redirect URI from my OIDC setup.

MozDef will ask the OIDC provider to send the user back to /redirect_uri which is set here

This is passed to the OIDC Proxy that runs in front of MozDef via an environment variable

Also what underlying OIDC library is mozdef using?

OIDC is terminated using our Nginx Lua OpenID Connect Access Proxy which in turn uses the lua-resty-openidc library. It’s reference here in the docker compose file

0 Likes

(mt_git) #3

I got some errors with my Mozdef setup in AWS. Cognito was used as the OIDC provider My OIDC Proxy logs looked like,

172.20.20.253 - - [01/Mar/2019:18:24:39 +0000] “GET / HTTP/1.1” 500 541 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36”
*2019/03/01 18:24:39 [error] 6#6: 7069 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/openidc.lua:568: attempt to index field ‘discovery’ (a nil value)
stack traceback:
coroutine 0:

  •    /usr/local/openresty/site/lualib/resty/openidc.lua: in function 'openidc_get_token_auth_method'*
    
  •    /usr/local/openresty/site/lualib/resty/openidc.lua:616: in function 'ensure_config'*
    
  •    /usr/local/openresty/site/lualib/resty/openidc.lua:1360: in function 'authenticate'*
    
  •    /usr/local/openresty/nginx/conf/conf.d/openidc_layer.lua:11: in function </usr/local/openresty/nginx/conf/conf.d/openidc_layer.lua:1>, client: 172.20.20.253, server: , request: "GET / HTTP/1.1", host: "mozdefdemo.mycompany.com"*
    

*2019/03/01 18:24:44 [error] 6#6: 7070 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/openidc.lua:568: attempt to index field ‘discovery’ (a nil value)
stack traceback:
coroutine 0:

  •    /usr/local/openresty/site/lualib/resty/openidc.lua: in function 'openidc_get_token_auth_method'*
    
  •    /usr/local/openresty/site/lualib/resty/openidc.lua:616: in function 'ensure_config'*
    
  •    /usr/local/openresty/site/lualib/resty/openidc.lua:1360: in function 'authenticate'*
    
  •    /usr/local/openresty/nginx/conf/conf.d/openidc_layer.lua:11: in function </usr/local/openresty/nginx/conf/conf.d/openidc_layer.lua:1>, client: 172.20.20.253, server: , request: "GET /favicon.ico HTTP/1.1", host: "mozdefdemo.mycompany.com", referrer: "https://mozdefdemo.mycompany.com/"*
    

172.20.20.253 - - [01/Mar/2019:18:24:44 +0000] “GET /favicon.ico HTTP/1.1” 500 541 “https://mozdefdemo.mycompany.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36”

What could be wrong? Thanks! @gene @Nikkeh

0 Likes

(Gene Wood) #4

Did you pass a valid discovery URL?

Check the dependencies for what you need there

An OIDC Provider with ClientID, ClientSecret, and Discovery URL

0 Likes

(mt_git) #5

Thanks Gene.

I use Cognito only for authentication. The discovery URL was like this
https://cognito-idp.us-west-2.amazonaws.com/my_user_pool_id/.well-known/openid-configuration

0 Likes

(Gene Wood) #6

We haven’t tested with Cognito yet (only Auth0) but hope to test and add documentation for it over the next few months.

@mt_git are you getting the error you indicated when you use the Cognito discovery URL you linked to?

If so it’s likely because that discovery URL just returns an error message

{"message":"User pool my_user_pool_id does not exist."}
0 Likes

(mt_git) #7

Hi Gene, the pool id in the link above was redacted. Looks like I got it working with Auth0, but still no luck with Cognito. I’d like to send more details…

0 Likes

(Gene Wood) #8

Oh right (duh sorry), I didn’t notice that.

The OIDCDiscoveryURL CloudFormation parameter should contain the discovery URL, I’d recommend confirming that you have set that value.

From there it’s passed to the CloudFormation substack that provisions the ec2 instance where it’s written to a file on the ec2 instance which is used to set environment variables within the docker containers. The discovery_url environment variable is used in OpenResty to set the discovery option in the opts variable that lua-resty-openidc will use. This opts variable is passed to lua-resty-openidc here

If you’re getting an error that discovery is nil, either the discovery URL isn’t being input at the beginning in the CloudFormation parameter, or there’s a bug somewhere in that chain that’s allowing Auth0 discovery URLs to pass through to lua-resty-openidc but not cognito discovery URLs.

1 Like