Unable to Access Indigo IAM OIDC Configuration from iRODS

[bl000m]

Hello,

me and @sigau are currently facing challenges in creating an OIDC connection between the Indigo IAM instance and iRODS. Could you please provide clarification on how this can be achieved?

Our goal is to allow users to authenticate on Indigo and subsequently access their iRODS without the need for reauthentication, whether through the CLI or a portal that has already been registered as a client in Indigo IAM.

To facilitate this, we have created a new client named "iRODS" and configured the iRODS API config file as follows:

 "oidc": {
                "config_host": "fits-indigo-iam-test.in2p3.fr",
                "port": 8080,
                "well_known_uri": "/.well-known/openid-configuration",
                "client_id": < the client_id automatically created when registering irods on indigo iam >,
                "redirect_uri": "http://***/irods-http-api/0.1.0/authenticate",
                "state_timeout_in_seconds": 600
            }

Here are some additional details:

fits-indigo-iam-test.in2p3.fr is the machine where our test Indigo IAM instance is running and is accessible.
The test iRODS is running on a machine that can successfully ping fits-indigo-iam-test.in2p3.fr. Could you provide insights into what this issue might be related to?
Furthermore, we are uncertain about the correct redirect URI to set. Can you provide guidance on the recommended path forward?

For reference, here is the link to the iRODS API: https://github.com/irods/irods_client_http_api/tree/main

Thank you in advance for your help

[federicaagostini]

Hi, we are not familiar with iRODS so I'm not sure how much we can help.
I did not manage to find the correct redirect URI from this section of the documentation, but looks like "http://localhost:/irods-http-api//authenticate" is the one you use to login to iRODS triggering an authorization code flow with IAM. Then, you should make an HEAD request to the endpoint shown in the iRODS response under the Location directive ("http://oidc.example.org/realms/example/protocol/openid-connect/auth?..." in the doc) and this should cause an opening of the browser window where to authenticate.

So, where are you stuck at? Which errors you see on the iRODS logs? And on the IAM logs?

About the redirect URI, I guess the question is for iRODS devs. In IAM, just be sure that the authorization_code grant is enabled for your client.

[bl000m]

Hi @federicaagostini thank for your reply. Actually the iRODS team has made significant update to the config file yesterday, right after we wrote to you : irods/irods_client_http_api@84b465e
but still it doesn't work because we need to map the iRODS user with OIDC provider (Indigo IAM) user:

 ...
 // The name of the OIDC claim which provides the mapping of an
 // OIDC user to an iRODS user account
 "irods_user_claim": "irods_username"
  ...

may you please show us the way to do that?

[federicaagostini]

Not sure I've understood correctly, but an access token can contain claims which identify the user, such as

  "sub": "<your-uuid-in-iam>",
  "preferred_username": "<your-username-in-iam>"

or groups the user belong to, e.g.

"groups": [
    "users",
    "admins/infn-rm2",
    "users/beta-testers",
    "beta-testers",
    "admins/cicd",
    "admins/beta-testers",
    "infn-cloud-catchall",
    "users/naas",
    "cygno"]

or the organization name in IAM

  "organisation_name": "<your-iam-organization-name>"

Does one of those work for you?

[bl000m]

I'm not sure because the iRODS team hasn't answer back yet but I was thinking that we should just need to add the irods_username claim to the Indigo IAM user profile in order for the mapping to happen. But I tell you I'm a bit confused about this. We were thinking about a user flow allowing the user to log into Indigo IAM and then be able to access to iRODS without authenticating again, would that be possible in your opinion ?

Also, different question, do you think that we can handle different VO (Research Infrastructures) as groups in a single Indigo IAM instance ?

[federicaagostini]

About adding the irods_username in the token, it is not possible to have custom claims in IAM. I don't know if the value of irods_username should just match with the nickname in IAM (such to appear in the token as a value of the preferred_username claim).
Anyway, for sure a "user flow" (allowing the user to log into Indigo IAM and then be able to access to iRODS without authenticating again) is the one that the user will be prompted at -- as far as I understand from iRODS documentation it supports the OAuth authorization code flow.

About handling different VOs in a single IAM instance, this was the case with the ESCAPE project. In the ESCAPE IAM it is defined a common parent group, and many subgroups, one per VO. The common parent group is not necessary if you do not use VOMS proxies, so defining one single group per VO should be enough. Then any group can be handled both by IAM admin and group managers. Ideally, each group has at least one group manager, that is the representative of the VO. I guess this is a good solution.

[bl000m]

Regarding the irods_username claim, this is the response I received from the iRODS team:

Currently, the server looks for an irods_username claim in the OpenID token received. To map an OpenID user to an iRODS user, you need to add an irods_username claim and set the value of the claim to the desired iRODS user."

Given that it's not possible to have a custom claim in Indigo IAM, should we conclude that establishing an OIDC connection with iRODS is not possible, or have I misunderstood?

As for handling different Virtual Organizations (VOs) as groups, thank you for confirming that. I'm wondering if it's possible to customize the registration form (https://fits-indigo-iam-test.in2p3.fr/start-registration) by adding a VO field. This would allow a member of a VO to specify for which VO they are seeking affiliation. This customization seems necessary if we want the group (VO) manager to be notified when a user requests affiliation, specifically to their group (VO) and not to any other group's manager. Wouldn't this be possible?

[federicaagostini]

Regarding the irods_username claim, this is the response I received from the iRODS team:

Currently, the server looks for an irods_username claim in the OpenID token received. To map an OpenID user to an iRODS user, you need to add an irods_username claim and set the value of the claim to the desired iRODS user."

Given that it's not possible to have a custom claim in Indigo IAM, should we conclude that establishing an OIDC connection with iRODS is not possible, or have I misunderstood?

With the current version of IAM it is not possible at all, it's correct, and some development would be needed to support iRODS connection.
We have recently developed a specific profile (kc) which replaces the group claim with roles, as Keycloack expects: #637. If some of you is interested in implementing an "iRODS" profile which adds the irods_username claim in a similar way as the PR you're very welcome!

As for handling different Virtual Organizations (VOs) as groups, thank you for confirming that. I'm wondering if it's possible to customize the registration form (https://fits-indigo-iam-test.in2p3.fr/start-registration) by adding a VO field. This would allow a member of a VO to specify for which VO they are seeking affiliation. This customization seems necessary if we want the group (VO) manager to be notified when a user requests affiliation, specifically to their group (VO) and not to any other group's manager. Wouldn't this be possible?

I think this is a different thread to be addressed in another issue/discussion, but I would also wait for @giacomini's opinion about that.

[bl000m]

Finally it looks like 0.2.0 will allow to map irods_username with IAM nickname, it's just about waiting: irods/irods_client_http_api#227

As for the VO ok thanks I'll wait for your feedback.

[bl000m]

Hello @federicaagostini
I'm trying to add preferred_username claim to the access token with no success.
I set IAM_ACCESS_TOKEN_INCLUDE_AUTHN_INFO=truein the .envand relaunched the docker instance.
Then I modified the request for the acces token to include the scope profile as mentioned here: https://indigo-iam.github.io/v/v1.8.2/docs/reference/configuration/jwt-profiles/

$response = HttpClient::create()->request('POST', 'https://' . $iam_domain . '/token', [
            'body' => [
                'grant_type' => 'authorization_code',
                'code' => $authorizationCode,
                'redirect_uri' => 'https://' . $_ENV['FITS_DOMAIN'] . '/iam/irods/callback',
                'client_id' => $client_id,
                'client_secret' => $client_secret,
                'scope' => 'openid profile',
            ],
            'headers' => ['Content-Type' => 'application/x-www-form-urlencoded'],
        ]);

but this is the access token that I get:

{
  "sub": "***",
  "nbf": ***,
  "scope": "openid",
  "iss": "https://fits-indigo-iam-test.in2p3.fr",
  "exp": 1707151931,
  "iat": 1707148331,
  "jti": "...",
  "client_id": "..."
}

what I do wrong?

Also I'm not sure how preferred_username is generated. Does it match userName ?
Thanks for your help

[bl000m]

Detail: I tested the access token request using the secret and client_id of the FITS client, the one initiating the request, and the access token does indeed contain the preferred_username claim. However, when I request the access token to be sent as a bearer to the iRODS HTTP API, even if executing the request from the FITS client I need to use the client_id and secret of the iRODS api client - the one that ask for the authorization grant passed to the request as $authorizationCode. This time, it doesn't work. So, there seems to be a connection between these issues.

NB: the two clients, Fits and Irods Api, are registered in the instance Indigo with exactly the same configuration and scopes

[giacomini]

As for handling different Virtual Organizations (VOs) as groups, thank you for confirming that. I'm wondering if it's possible to customize the registration form (https://fits-indigo-iam-test.in2p3.fr/start-registration) by adding a VO field. This would allow a member of a VO to specify for which VO they are seeking affiliation. This customization seems necessary if we want the group (VO) manager to be notified when a user requests affiliation, specifically to their group (VO) and not to any other group's manager. Wouldn't this be possible?

I think this is a different thread to be addressed in another issue/discussion, but I would also wait for @giacomini's opinion about that.

Just thinking aloud: if there are multiple top-level group, we could assume we are in a "multi-VO" deployment and present a drop-down menu to select which top-level group is preferred. But we need to discuss this internally and assess what the impact is on the rest of the code.

[bl000m]

@federicaagostini, I have opened a new issue that is more clear regarding the 'preferred_username' problem. This will help keep the different questions I added to this issue separated :)

[federicaagostini]

Closing this issue since

• preferred_username problem has been migrated to issue Problem with 'preferred_username' Claim Missing in Access Token from Indigo IAM for iRODS HTTP API Authorization #708
• handling multi-VO thread has been migrated to discussion How to handle multi-VO in IAM? #711.