Require to implement Microsoft Authentication on the DHIS2 instance

MohinderS · 13 December 2022 06:45

Hello There,

We require to implement Microsoft Authentication on the DHIS2 instance (window server).
Clients servers are behind the firewall so direct communication with the Microsoft server fails. Where can we define the proxy server settings to bypass communication through the proxy server?

One possible solution we came across to use JAVA_OPTS environment variables to configure forward proxy

-Dhttps.proxyHost=XX.XX.X.XXX -Dhttps.proxyPort=8080 -Dhttp.proxyHost= XX.XX.X.XXX -Dhttp.proxyPort=8080

We tried configuring the proxy at the following 3 places –

Environment Variables
catalina.bat
tomcat binary executables

we used settings like -Dhttps.proxyHost=XX.XX.X.XXX -Dhttps.proxyPort=8080 -Dhttp.proxyHost= XX.XX.X.XXX -Dhttp.proxyPort=8080.

But still could not get through.

Here are the error logs :—
+±--------------------------------------------------

IDIt3Y/7XGfaSGMY+ttoZwsl/R7EUAy0HA7rzNcculKh0= INFO 2022-12-12T12:03:59,074 OIDC login attempt failed for remote IP: 10.11.0.75 (AuthenticationListener.java [http-nio-80-exec-3])*

IDIt3Y/7XGfaSGMY+ttoZwsl/R7EUAy0HA7rzNcculKh0= INFO 2022-12-12T12:04:02,113 Authentication event: AuthenticationFailureBadCredentialsEvent; ip: 10.11.0.75; sessionId: 22ddd8ffb5c67da486318fadb68670b25fd1ec4500cb41c0eebccd71cba52a1d; exception: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for https://login.microsoftonline.com/f610c0b7-bd24-4b39-810b-3dc280afb590/oauth2/v2.0/token: 10.11.1.149 ; nested exception is java.net.UnknownHostException: 10.11.1.149 (AuthenticationLoggerListener.java [http-nio-80-exec-1])*

IDIt3Y/7XGfaSGMY+ttoZwsl/R7EUAy0HA7rzNcculKh0= INFO 2022-12-12T12:04:02,113 OIDC login attempt failed for remote IP: 10.11.0.75 (AuthenticationListener.java [http-nio-80-exec-1])*

IDIt3Y/7XGfaSGMY+ttoZwsl/R7EUAy0HA7rzNcculKh0= INFO 2022-12-12T12:04:45,779 Authentication event: AuthenticationFailureBadCredentialsEvent; ip: 10.11.0.75; sessionId: e2995da637ac97a42ecee5e3b5db6d6beb0f853f4c92e0be165b9736d0a054cd; exception: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for https://login.microsoftonline.com/f610c0b7-bd24-4b39-810b-3dc280afb590/oauth2/v2.0/token: 10.11.1.149 ; nested exception is java.net.UnknownHostException: 10.11.1.149 (AuthenticationLoggerListener.java [http-nio-80-exec-8])*

ID4pldpjesl6QuzuXjtdtta+sPhT9MkuC+FluXNtCgVM0= INFO 2022-12-12T12:04:45,780 OIDC login attempt failed for remote IP: 10.11.0.75 (AuthenticationListener.java [http-nio-80-exec-8])*

ID4pldpjesl6QuzuXjtdtta+sPhT9MkuC+FluXNtCgVM0=
+±--------------------------------------------------
Can someone help us with that?

Thanks in advance.

ayman.tuffaha · 13 December 2022 07:29

Hello @MohinderS ,

Thanks for sharing the error logs.

As per my understanding, the problem you are experiencing is a failure in communication between your client authentication which is Microsoft, and DHiS2 endpoint…

Until this moment I could only suggest you go over the steps mentioned at the below URL link (Section → 1.2.2. OAuth2):

Please let me know how it will go.

Best regards,

MohinderS · 13 December 2022 08:10

Thanks @ayman.tuffaha for your response.
We did the same on the server but issue is still persist.
Is there any another way to resolve this ?

Thanks

ayman.tuffaha · 13 December 2022 09:31

The problem is I can not reproduce the same issue at my end.

I believe someone from the DHiS2 server admin team can advise on this. @Gassim please advise.

Best regards,

ayman.tuffaha · 13 December 2022 10:19

@MohinderS,

Could you please take a screenshot of OAuth2 Client from DHIS2 end as shown below?:

Best regards,

MohinderS · 13 December 2022 10:27

@ayman.tuffaha , here is the attached screen

shot.

MohinderS · 14 December 2022 08:09

Hello @ayman.tuffaha @Gassim , One thing more.

We also did the below entry into the dhis.conf file. But not luck.

----------------------------------------------------------------------

Azure OIDC Configuration

----------------------------------------------------------------------

Generic config parameters

Enable OIDC

oidc.oauth2.login.enabled = on

DHIS 2 instance URL, do not end with a slash, not all IdPs support logout (Where to end up after calling end_session_endpoint on the IdP)

oidc.logout.redirect_url = (protocol)://(host)/(optional app context)

Azure AD specific parameters:

First provider (0)

oidc.provider.azure.0.tenant = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
oidc.provider.azure.0.client_id = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#oidc.provider.azure.0.client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
oidc.provider.azure.0.client_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

DHIS 2 instance URL, do not end with a slash, e.g.: Demo - DHIS2

oidc.provider.azure.0.redirect_url = https://abc.xyz.org/abc/oauth2/code/xxxxxxxxxxxxxxxxxxxxxxxxx

Optional, defaults to ‘email’

oidc.provider.azure.0.mapping_claim = email

Optional, defaults to ‘true’

oidc.provider.azure.0.support_logout = false

Second provider (1)

oidc.provider.azure.1.tenant = my_other_azure_ad_tenant_id

MohinderS · 18 December 2022 04:53

Hello There,

Can we find another answer to this?

Thanks

lillian1n2 · 12 January 2023 14:40

Hello @MohinderS!

I implemented OIDC Authentication for my instances and our provider was Google.

I want to be sure you are looking to implement OIDC Authentication using Azure as your provider…?
Also what version of DHIS2 are you running on your instance?

MohinderS · 13 January 2023 09:37

Hello @lillian1n2 ,

We did the same on the production and Testing environment. In our testing environment its working fine, but we are getting the issue only on the Production.

Fyi, Production environment is set on Window server and Testing is on Linux.

We are using Dhsi2 version 2.36.1.
Errors i have provided in my earlier update.
Thanks