抛出致命异常 - 使用OAuth2客户端实现带有Azure Active Directory的SSO [英] Fatal exception thrown - Using OAuth2 Client to implement SSO w/ Azure Active Directory
问题描述
任何帮助都是最赞赏 - 我真的会尝试解释问题及其背景。希望其他人可以从我的麻烦中学习!!! :)
我的目标:创建一个托管在云上的公司wiki,员工可以使用他们在Azure Active Directory中注册的登录来访问wiki资源。 / p>
基本设置: - 云托管的Azure VM w / this image:
>https://bitnami.com/stack/mediawiki/virtual-machine
>基本上包含一个apache2 Web服务器,以及一个mediawiki的图像
- 除基本映像外,还按照以下说明安装了扩展名OAuth2 Client:
> https://www.mediawiki.org/wiki/Extension:OAuth2_Client
> OAuth2客户端是基于这个开源项目构建的:
> https://github.com/thephpleague/oauth2-client
- 带有注册Web应用程序/ API的Azure Active Directory(AD)
遇到的问题: ;提供Azure Active Directory的用户凭据(电子邮件和密码)后,将抛出"类型的致命异常"GuzzleHttp\Exception\ConnectException"`。
尝试深入的问题分析: ;所以在尝试登录后,回复网址是这样的:
(注意:我随机c挂了一些值)
的http:// mywikidomain /特殊:OAuth2Client /回调代码= AQABAAIAAACEfexXxjamQb3OeGQ4Gugv1Q04EA_ey_K-rj0okPNekuIB-BakV6Gq_pFBR8lfoaNJSWfK3uie9f88BM4C8vgULYulQtX9wh6LY2U0hACqr8cOz41OqbB9SQm0yqSv1Rhw7Pgri1DDwwS_DY1M1b49WR4qV2siDc_5_YmqG5MB-5xfASoTPjYHhWkN5nJ5FfIcK8KhkKGcOUeDNiTBeWZBcKIEBFVsk_pZjwQ-PFpbDRsbOrJvJGX8nuh2lJJpc00z1wrwFqMu-jVlhC7NTE1D3PZxPQEycvzi4_D7TcewyskXDTMiswr1AdYdCDTf68l8jMKpResRlu6qqWjeOIqsJNryGbPBXkA682AEyy8IiTw9KG1vB45uvh8SMLaPZEuHGsw-knUlt-gNAzMv6upc4-f3BtUe49ezFudsaMoLecKA33qvVFj2f9p9HbzbgK3KNDIJ8hcgipMpIR5__fjFe0XvABbRcVbaE4-HkIqWagfsw_GnNxIl7oxhF9H7-AVBRNAeg19gyPfwzTZmpXLH4LGQ_iZcroxdqcmfvZK3hawx1X2w5RbEo078TXYweBJ4mGMGt6RkMp5iSTv8SpGHXIuYKYfKNX__eG0X9kZN-a6QpN8ctmsvqZ_GA46d0LEF43lcw3RmKIeOc3_CL9QWiTs_hhCscxf4O2aQGugpNyAA&安培;? state = 79c92d94bd9651231fw9dc06269eb1& session_state = 96054b69-edab-4f5e-a583-75e83a440379
因此,它发送回授权令牌,但由于某种原因,mediawiki无法继续下一步并请求访问令牌,并使用新获取的授权令牌刷新令牌。
我试图检查Apache2服务器中的日志,但没有添加任何内容。
有没有办法改变它并获得更多错误信息?
配置/更改:
1.根据OAuth2客户端说明,我修改了LocalSettings.php。在这里,我将简要描述Azure AD中放置的哪些信息(<>包含伪变量):
LocalSettings.php _______________________________________
wfLoadExtension('MW-OAuth2Client')
$ wgOAuth2Client ['client'] ['id'] =<应用程序ID> ;;
$ wgOAuth2Client ['client'] ['id'] =<在AD应用注册中创建的密钥 - 基本上是哈希值>
$ wgOAuth2Client ['configuration'] ['authorize_endpoint'] =< Azure AD OAUTH 2.0 AUTHORIZATION ENDPOINT>
$ wgOAuth2Client ['configuration'] ['access_token_endpoint'] =< Azure AD OAUTH 2.0 TOKEN ENDPOINT>
$ wgOAuth2Client ['configuration'] ['api_endpoint'] =< Azure App registered - App ID URI>
//根据OAuth2客户端说明...
$ wgOAuth2Client ['configuration'] ['redirect_uri'] =< http:// mywikidomain / Special:OAuth2Client / callback >
// OAuth2客户端安装说明中未提及的范围
//如果没有设置则抛出索引错误。
//https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
//根据上面的链接,在请求授权代码时,范围被忽略,因此无论它是什么都不重要。
//从上面的microsoft docs链接中了解'user_impersonation' - 使用授权代码... - >成功响应 - >资源
$ wgOAuth2Client ['configuration'] ['scopes']
='user_impersonation';
< code style ="font-family:monospace,monospace;背景色:#f8f9fa;边界:1px solid rgb(234,236,240);填充:1px 4px; font-size:14px">
//默认来自OAuth2客户端 不确定是否需要更改
$ wgOAuth2Client ['configuration'] ['username'] ='username';
$ wgOAuth2Client ['configuration'] ['email'] ='email';
LocalSettings.php _______________________________________
2.由于以上不起作用,我试图查看由phpleague制作的oauth2-client的源代码,以了解是什么继续。
> https://github.com/thephpleague/oauth2-client
我注意到OAuth2安装的版本是版本1.4,因为我的代码不同,而oauth2-client高达2.4.1,所以我结帐到master并拉出了新版本没有成功。
3.我注意到oauth2-client有为特定提供商开发的软件包,包括Azure AD。
< p style ="line-height:inherit;颜色:#222222; FONT-FAMILY:无衬线;字体大小:14px的; background-color:#f8fcff">
> https://github.com/thenetworg/oauth2-azure
因此,我按照指示安装但没有改变。我想我必须修改一些东西,但我不知道是什么。
如果您需要更多信息,请告诉我们!
`类型的致命异常"GuzzleHttp\Exception\ConnectException"`这似乎是一个连接错误。看起来你无法连接Guzzle。
做什么你已经设置了你的基础uri?你有更详细的错误日志吗?
请确保您的应用注册中的回复URL与您在代码中设置为RedirectURI的确切匹配并且您没有任何不匹配的引用。还要确保您的主要主页URL,AppID /客户端ID和租户/目录
ID匹配。
Any help would be most appreciated - I'll really try to explain the problem and its context. Hopefully others can learn from my troubles!!! :)
My objective: Create a company wiki hosted on the cloud where employees can use their logins registered in the Azure Active Directory to access wiki resources.
The Basic Set-up: - Cloud-hosted Azure VM w/ this image:
>https://bitnami.com/stack/mediawiki/virtual-machine> Basically contains an apache2 web server, and an image of mediawiki
- In addition to the base image, the extension OAuth2 Client has been installed following these instructions:
> https://www.mediawiki.org/wiki/Extension:OAuth2_Client
> OAuth2 Client is built off this open-source project:
> https://github.com/thephpleague/oauth2-client
- Azure Active Directory (AD) with a registered Web app / API
The Encountered Problem: After providing the Azure Active Directory's user credentials (email and password), a `Fatal exception of type "GuzzleHttp\Exception\ConnectException"` is thrown.
Attempted in-depth problem analysis: So after attempting a login, the reply url is as such:
(note: I've randomly changed some values)
http://mywikidomain/Special:OAuth2Client/callback?code=AQABAAIAAACEfexXxjamQb3OeGQ4Gugv1Q04EA_ey_K-rj0okPNekuIB-BakV6Gq_pFBR8lfoaNJSWfK3uie9f88BM4C8vgULYulQtX9wh6LY2U0hACqr8cOz41OqbB9SQm0yqSv1Rhw7Pgri1DDwwS_DY1M1b49WR4qV2siDc_5_YmqG5MB-5xfASoTPjYHhWkN5nJ5FfIcK8KhkKGcOUeDNiTBeWZBcKIEBFVsk_pZjwQ-PFpbDRsbOrJvJGX8nuh2lJJpc00z1wrwFqMu-jVlhC7NTE1D3PZxPQEycvzi4_D7TcewyskXDTMiswr1AdYdCDTf68l8jMKpResRlu6qqWjeOIqsJNryGbPBXkA682AEyy8IiTw9KG1vB45uvh8SMLaPZEuHGsw-knUlt-gNAzMv6upc4-f3BtUe49ezFudsaMoLecKA33qvVFj2f9p9HbzbgK3KNDIJ8hcgipMpIR5__fjFe0XvABbRcVbaE4-HkIqWagfsw_GnNxIl7oxhF9H7-AVBRNAeg19gyPfwzTZmpXLH4LGQ_iZcroxdqcmfvZK3hawx1X2w5RbEo078TXYweBJ4mGMGt6RkMp5iSTv8SpGHXIuYKYfKNX__eG0X9kZN-a6QpN8ctmsvqZ_GA46d0LEF43lcw3RmKIeOc3_CL9QWiTs_hhCscxf4O2aQGugpNyAA&state=79c92d94bd9651231fw9dc06269eb1&session_state=96054b69-edab-4f5e-a583-75e83a440379
So, it is sending back an authorization token, but for some reason, mediawiki failing to proceed to the next step and request an access token, and refresh token with the newly acquired authorization token.
I've tried to check the logs in the Apache2 server, but nothing is added.
Is there a way to change that and get more error info??
Configurations/Changes made:
1. As per the OAuth2 Client instructions, I modified LocalSettings.php. Here, I'll briefly describe what information from the Azure AD I put where (<> contains a pseudo variable):
LocalSettings.php _______________________________________
wfLoadExtension( 'MW-OAuth2Client ')
$wgOAuth2Client['client']['id'] = <Application ID>;
$wgOAuth2Client['client']['id'] = <Key created in AD app registration - basically a hash value>
$wgOAuth2Client['configuration']['authorize_endpoint'] = <Azure AD OAUTH 2.0 AUTHORIZATION ENDPOINT>
$wgOAuth2Client['configuration']['access_token_endpoint'] = <Azure AD OAUTH 2.0 TOKEN ENDPOINT>
$wgOAuth2Client['configuration']['api_endpoint'] = <Azure App registered - App ID URI>
// As per the OAuth2 Client instructions...
$wgOAuth2Client['configuration']['redirect_uri'] = <http://mywikidomain/Special:OAuth2Client/callback>
//scopes not mentioned in OAuth2 Client install instructions
//Was throwing an index error if not set.
//https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
//According to the above link, when requesting an authorization code, scope is ignored and hence shouldn't matter what it is.
//Got the idea of 'user_impersonation' from the above microsoft docs link - use authorization code... -> successful response -> resource
$wgOAuth2Client['configuration']['scopes']
= 'user_impersonation';
// Defaults from OAuth2 Client NOT sure if needed to be changed
$wgOAuth2Client['configuration']['username'] = 'username';
$wgOAuth2Client['configuration']['email'] = 'email';
LocalSettings.php _______________________________________
2. As the above wasn't working, I tried to look through the source code of oauth2-client made by the phpleague to understand what was going on.
> https://github.com/thephpleague/oauth2-client
I noticed that the version that OAuth2 installs is version 1.4 as my code was different, and oauth2-client is up to 2.4.1, so I checkout into master and pulled the new version. No success.
3. I noticed that the oauth2-client has packages developed for specific providers, including the Azure AD.
> https://github.com/thenetworg/oauth2-azure
Hence, I installed as instructed but no change. I think I have to modify some things, but I have no idea what.
Please let me know if there is any more information you need!!!
`Fatal exception of type "GuzzleHttp\Exception\ConnectException"`This seems to be a connection error. It looks like you are not able to connect with the Guzzle.
What do you have set as your base uri? Do you have any more detailed error logs?
Please ensure that your Reply URL in your app registration matches exactly what you have set as the RedirectURI in your code and that you do not have any mismatched references. Also ensure that your main homepage URL, AppID/Client ID, and tenant/directory IDs are matching.
这篇关于抛出致命异常 - 使用OAuth2客户端实现带有Azure Active Directory的SSO的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
