Getting "Failed to create external User '': Username can't be blank" error when attempting OIDC authentication against Okta

jwinder · August 23, 2022, 3:46pm

I am attempting to setup OIDC authentication against Okta by starting with the documented Keyclock configuration and making the needed changes. I am running Foreman 3.1.1.2 [Satellite 6.11.1.1].

Here is my configuration so far.

# /etc/httpd/conf.d/foreman-openidc_oidc_keycloak_ssl-realm.conf
OIDCClientID <redacted>
OIDCProviderMetadataURL https://<redacted>.okta.com/oauth2/default/.well-known/openid-configuration
OIDCCryptoPassphrase <redacted>
OIDCClientSecret <redacted>
OIDCRedirectURI https://<redacted>/users/extlogin/redirect_uri
OIDCRemoteUserClaim email

OIDCOAuthRemoteUserClaim email
OIDCScope "openid email profile"

<Location /users/extlogin>
    AuthType openid-connect
    Require valid-user
    LogLevel debug

    RequestHeader set REMOTE_USER %{OIDC_CLAIM_email}e
    RequestHeader set REMOTE_USER_EMAIL %{OIDC_CLAIM_email}e
    RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_given_name}e
    RequestHeader set REMOTE_USER_LASTNAME %{OIDC_CLAIM_family_name}e
</Location>

with the following configuration in Foreman

# hammer setting list --search oidc
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
NAME           | FULL NAME      | VALUE                                             | DESCRIPTION
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
oidc_jwks_url  | OIDC JWKs URL  | https://<redacted>.okta.com/oauth2/default/v1/keys | OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example...
oidc_audience  | OIDC Audience  | ["api://default"]                                 | Name of the OpenID Connect Audience that is being used for Authentication. In...
oidc_issuer    | OIDC Issuer    | https://<redacted>.okta.com/oauth2/default         | The iss (issuer) claim identifies the principal that issued the JWT, which ex...
oidc_algorithm | OIDC Algorithm | RS256                                             | The algorithm used to encode the JWT in the OpenID provider.
---------------|----------------|---------------------------------------------------|---------------------------------------------------------------------------------
# hammer setting list --search delegation
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------
NAME                                                   | FULL NAME                                              | VALUE                                              | DESCRIPTION
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------
login_delegation_logout_url                            | Login delegation logout URL                            | https://<redacted>/users/extlogout | Redirect your users to this url on logout (authorize_login_delegation should ...
authorize_login_delegation_auth_source_user_autocreate | Authorize login delegation auth source user autocreate | External                                           | Name of the external auth source where unknown externally authentication user...
authorize_login_delegation                             | Authorize login delegation                             | true                                               | Authorize login delegation with REMOTE_USER HTTP header
authorize_login_delegation_api                         | Authorize login delegation API                         | true                                               | Authorize login delegation with REMOTE_USER HTTP header for API calls too
-------------------------------------------------------|--------------------------------------------------------|----------------------------------------------------|---------------------------------------------------------------------------------

ekohl · August 23, 2022, 5:12pm

Can you explain how you got to this config?

It sounds like this somehow isn’t set. I don’t know Okta at all so I’m afraid I’ll be of little help, but quite sure there’s your problem somehow.

jwinder · August 23, 2022, 7:08pm

I started with the documented instructions to setup Keycloak, but since I don’t have a Keycloak server the keycloak-httpd-client-install failed. However, this got me the initial /etc/httpd/conf.d/foreman-openidc_oidc_keycloak_ssl-realm.conf. I then massaged the configuration from there to get where I am now.

One of the main influences of my current configuration is how Anthony_chevalet got it working with auth0, here Getting "SSO failed" after successfully logging into Keycloak - #31 by Anthony_Chevalet

I have tested it with each of the following three directives individually and in different combinations, without success.

OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email
RequestHeader set REMOTE_USER %{OIDC_CLAIM_email}e

This is from the auth_openidc debug logs:

[Tue Aug 23 13:36:13.681073 2022] [auth_openidc:debug] [pid 310166] src/mod_auth_openidc.c(1751): [client 10.1.250.187:53058] oidc_set_request_user: set remote_user to "jwinder@wcbradley.com" based on claim: "email"
...
[Tue Aug 23 13:36:13.735446 2022] [auth_openidc:debug] [pid 310166] src/mod_auth_openidc.c(1489): [client 10.1.250.187:53058] oidc_handle_existing_session: set remote_user to "jwinder@wcbradley.com"
...

I am not sure what else out of the httpd logs would be helpful. If desired, I could capture an entire authentication session and attempt to scrub the log of private details.

ekohl · August 24, 2022, 10:30am

Perhaps mod_auth_openidc is already setting the REMOTE_USER variable and you don’t need to? Have you tried removing that RequestHeader line?

jwinder · August 24, 2022, 2:10pm

I have tried it with and without that directive, same result.

Also, I got Okta support to verify the URIs and such that I am using, and they are correct.

Is there a way I can see what variables are being passed when the process attempts to create the user? I’m not a developer, obviously, or I would hopefully know how to do that in a debugger.