I have a local apache2 server running humhub 1.3.14.
My goal is to set Keycloak located on my rancher cluster as the authentication provider for humhub.
After selecting "keycloak OpenId Connect" the user is successfully redirected to the keycloak server. After the user has authenticated, keycloak redirects back to my local humhub server.
There humhub complains:
"Unable to verify JWS: Unsecured connection" .
to validate the JWS, humhub uses yii2-authclient/src/OpenIdConnect.php which requires "spomky-labs/jose:~5.0.6" (which is abandoned, but yii2 does still use it).
in humhub/protected/vendor/yiisoft/yii2-authclient/src/OpenIdConnect.php setting
$validateJws = false
does nothing.
humhub/protected/config/common.php:
return [
'params' => [
'enablePjax' => false
],
'components' => [
'urlManager' => [
'showScriptName' => false,
'enablePrettyUrl' => false,
],
'authClientCollection' => [
'class' => 'yii\authclient\Collection',
'clients' => [
'keycloak' => [
'class' => 'yii\authclient\OpenIdConnect',
'issuerUrl' => 'https://xxxx/auth/realms/humhub',
'clientId' => 'humhub',
'clientSecret' => 'xxxxxxx',
'name' => 'keycloak',
'title' => 'Keycloak OpenID Connect',
'tokenUrl' => 'https://xxxx/auth/realms/humhub/protocol/openid-connect/token',
'authUrl' => 'https://xxxx/auth/realms/humhub/protocol/openid-connect/auth',
'validateAuthState' => 'false',
'validateJws' => 'false',
],
],
]
]
];
Can anyone help?
Further information required?
UPDATE
After updating "spomky-labs/jose" to "spomky-labs/jose:~6.1.0", the response from humhub changed to:
"Unable to verify JWS: The provided sector identifier URI is not valid: scheme must be one of the following: ["https"]."
UPDATE
I have enabled https also on my local apache2 server which runs humhub.
I also downgraded spomky-labs/jose back to version 5.0.6, because of compatibility problems with the current humhub version 1.3.14.
After that, the JWS error seems to be fixed but a new error accured:
Coult it be caused by the content type in the JWS which is not "application/json" but instead just "" (empty)?
if so, how can this be fixed?
Finaly i found the solution: It is not working well, because humhub does not hold the specifications in its OIDC adapter. After directing back from Keycloak, the following error accures:
The OpenId Connect 1.0 Specification describes, that an ID-Token has to be signed using a JWS (Json Web Signature). Keycloak does that, but does not set the "cty" field. As for https://www.rfc-editor.org/rfc/rfc7515#section-4.1.10 (RFC7515), this field is optional which means, that Humhub (v. 1.3.13) has a wrong implemented Open ID Connect 1.0 adapter because it sets this field to be mandatory.
Related
Problem description:
I am unable to send SMS from AWS Lambda.
Controller Code
try {
$sms = AwsFacade::createClient('sns');
$result = $sms->publish([
'MessageAttributes' => [
'AWS.SNS.SMS.SenderID' => [
'DataType' => 'String',
'StringValue' => 'CyQuer',
],
'AWS.SNS.SMS.SMSType' => [
'DataType' => 'String',
'StringValue' => 'Transactional',
],
],
'Message' => "Hello John Doe".PHP_EOL."Use following Code to Login:".PHP_EOL."123456",
'PhoneNumber' => $phone,
]);
Log::info($result);
} catch (Exception $e) {
Log::error($e->getMessage());
}
Error message:
via web
{"message": "Internal server error"}Task timed out after 28.00 seconds
via Artisan
Task timed out after 120.00 seconds
Setup
Laravel application running on AWS Lambda using bref/laravel-bridge
IAM user for this application has been created. Locally everything works. Online everything works too except sending SMS.
Tried solutions:
The following packages were tried.
https://github.com/aws/aws-sdk-php
https://github.com/aws/aws-sdk-php-laravel
All the following described approaches worked locally on AWS Lambda but not.
Write AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY directly into config/aws.php
Write AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY directly in the code
$sms = AwsFacade::createClient('sns',[
'credentials' => [
'key' => '********************',
'secret' => '****************************************',
],
'region' => env('AWS_REGION', 'eu-central-1'),
'version' => 'latest',
'ua_append' => [
'L5MOD/' . AwsServiceProvider::VERSION,
],
]);
Giving all IAM users full admin access didn't work either.
Locally, all alternative solutions have also always worked!
Does anyone know the problem and have a solution for it? I've been trying to find a way for more than 24 hours. My last approach would be to rebuild the complete call via CURL and try it out, but I hope someone has/finds a solution.
For anyone facing similar issue, this could be/ most likely is due to lambda being configured in a VPC (most likely to give it access to RDS) and therefore losing internet connection, and by extension of that, access to other AWS services. One of the ways to work around this is to enable internet access to your VPC-bound lambda via setting up a NAT gateway (guide here). Alternatively, you can also use VPC Endpoints if the desired AWS service is supported. More info here.
In my experience, I had issues being unable to use specific credentials for certain clients in the AWS PHP SDK. I've seen that the best solution is to include the IAM permissions needed in the policy statements for the lambda function itself.
In this case for example, you may need to include the relevant statement for SNS like below:
{
"Action": [
"ses:*"
],
"Resource": "*",
"Effect": "Allow"
}
If you're using serverless to deploy, you may define it under provider.iamRoleStatements in the serverless.yml file like below:
provider:
name: aws
iamRoleStatements:
- Effect: Allow
Action:
- sns:*
Resource: '*'
IMPORTANT: Do provide only the minimum permissions that your lambda needs. The above statements are just examples.
After the relevant permissions are applied in this way, you may drop the specific credentials from the constructor of your AWS client.
I have a cron on ubuntu server, it fetched data from another server (using yii) and make changes in DB. That cron is much time taking.
But today suddenly I faced an issue while running cron
'PDOException' with message 'SQLSTATE[08S01]: Communication link failure: 1053 Server shutdown in progress'
But I was unaware about this failure. later while debugging got to know this from error logs.
Is there any possibility where I can
either shoot and email when such communication link failure is there (through Yii or any other option)
or any other good suggestion for such scenario?
Anyhow at least I want to know my cron has not ended successfully.
Can we drop an email in Yii for such "'PDOException' with message 'SQLSTATE[08S01]: Communication link failure: 1053 Server shutdown in progress'" errors?
How to email error logs to developer on Yii2 apps? Setup a new target for the log component besides the yii\log\FileTarget that is configured by default:
'components' => [
// ...
'log' => [
'targets' => [
// other targets...
[
'class' => 'yii\log\EmailTarget',
'mailer' => 'mailer',
'levels' => ['error', 'warning'],
'message' => [
'from' => ['log#example.com'],
'to' => ['developer1#example.com', 'developer2#example.com'],
'subject' => 'Log message',
],
],
],
],
// ...
],
The EmailTarget component is another way to log messages, in this case emailing them via the mailer component of the app as specified on the mailer attribute of EmailTarget configuration. Note that you can also specify messages properties and which levels of messages should be the sent trough this target.
There are other components that represents log targets:
Telegram: https://github.com/sergeymakinen/yii2-telegram-log
Slack: https://github.com/sergeymakinen/yii2-slack-log
I'am working on a old project in laravel 5.5. It going file till date. But now I am configuring Laravel Socialite, added all the provider credentials to services.php. But when redirecting to provider, system throws an error, formatRedirectUrl() must be of the type array, null given.
So I checked if the providers are set correctly. To check that I used config('services.facebook.client_id'), but it returns nothing.
Note:
I have tried clearing cache: php artisan config:clear
Caching again: php artisan config:cache
Tried config('app.name') which is returning app name as expected.
Any idea what's the reason of this unexpected behaviour?
services.php:
<?php
return [
/*
|--------------------------------------------------------------------------
| Third Party Services
|--------------------------------------------------------------------------
|
| This file is for storing the credentials for third party services such
| as Stripe, Mailgun, SparkPost and others. This file provides a sane
| default location for this type of information, allowing packages
| to have a conventional place to find your various credentials.
|
*/
'facebook' => [
'client_id' => env('FACEBOOK_CLIENT_ID'),
'client_secret' => env('FACEBOOK_CLIENT_SECRET'),
'redirect' => env('CALLBACK_URL_FACEBOOK'),
],
'google' => [
'client_id' => env('GOOGLE_CLIENT_ID'),
'client_secret' => env('GOOGLE_CLIENT_SECRET'),
'redirect' => env('CALLBACK_URL_GOOGLE'),
],
'twitter' => [
'client_id' => env('TWITTER_CLIENT_ID'),
'client_secret' => env('TWITTER_CLIENT_SECRET'),
'redirect' => env('CALLBACK_URL_TWITTER'),
],
];
I have a working implementation of the AWS PHP SDK. Operations like $client->getUser() are working, but $client->adminCreateUser() and others are not working.
When I call $client->adminCreateUser([...]), it results in:
Error executing "AdminCreateUser" on "https://cognito-idp.ap-southeast-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.ap-southeast-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
MissingAuthenticationTokenException (client): Missing Authentication Token - {"__type":"MissingAuthenticationTokenException","message":"Missing Authentication Token"}
Line 191 in /var/www/project/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php
Similar services evoked from CLI (e.g cognito-idp admin-create-user) with the exact same credentials are working.
What is causing this?
Example Details
My environment:
Ubuntu 18.04
Apache 2.4.29
PHP 7.3
aws/aws-sdk-php 3.92.3
.aws/credentials
[default]
aws_access_key_id=XXXX
aws_secret_access_key=XXXX
I am using my developer credentials
Example code:
$client = new CognitoIdentityProviderClient([
'version' => 'latest',
'region' => 'ap-southeast-2',
'credentials' => false, // Set to false to allow roles provisioned to our EC2 instances
]);
$result = $client->adminCreateUser([
'DesiredDeliveryMediums' => ['Email'],
'MessageAction' => 'RESEND',
'TemporaryPassword' => 'TemporaryPassword1234',
'UserAttributes' => [
['Name' => 'email', 'Value' => 'mailbox#domain.tld'],
],
'UserPoolId' => 'ap-southeast-2_XXXX',
'Username' => 'mailbox#domain.tld',
]);
You need to remove 'credentials' => false from your CognitoIdentityProviderClient configuration.
The adminCreateUser() operation requires a signed request (unlike operations like signUp(), which is why signUp() would work with an unsigned request but adminCreateUser() and other operations that require developer credentials won't)
From the AWS Docs
https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#admincreateuser says
AdminCreateUser requires developer credentials.
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_configuration.html#credentials says
Pass false to use null credentials and not sign requests.
A request needs to be signed to provide developer credentials.
I am trying to add google authentication in my laravel application using hybrid auth.
Google auth configuration:
<?php
return array(
"base_url" => "https://mywebsite.com/gauth/auth",
"providers" => array(
"Google" => array(
"enabled" => true,
"keys" => array(
"id" => "myid.apps.googleusercontent.com",
"secret" => "mysecret"
),
"scope" => "https://www.googleapis.com/auth/userinfo.email "
)
)
);
The authentication worked fine in the http website. But when I added SSL/https to the site it is not working and I am getting the following error:
Exception in Auth.php line 169:
User profile request failed! Google returned an error: exception 'Exception' with message 'The Authorization Service has return: invalid_request' in /project/httpdocs/vendor/hybridauth/hybridauth/hybridauth/Hybrid/thirdparty/OAuth/OAuth2Client.php:84
What is the issue causing this error?
I think the error was due to the PHP version. The PHP version was higher than recommended by the Hybrid Auth.
Used the Google PHP library and worked fine.
https://developers.google.com/api-client-library/php/auth/web-app