Authentication for a cgi-bin

viola.mauro

Hello.
my goal is to start a .sh or .py file on the server after successful authentication.
I state that I tried for several hours without success.
I have also tried to find information about it, but I'm new to this technology and maybe I'm wrong to look for it (e.g. I'm looking for the wrong words).

said this: fusionauth is installed and running (version 1.17.5). I created the users (no role assigned) and the application (no particular options, except "Authorized redirect URLs" which you will then see). now, after the login proccess, the application is executed.
the problem is that: in the application I have not implemented (I have not succeeded) the check to understand if the user has authenticated.

I also followed this guide:
https://fusionauth.io/learn/expert-advice/oauth/definitive-guide-to-oauth-2

but in 5.1.3 it does not work (flow control, token).
when I run the POST, I get an error.

curl -v -X POST \
    -H 'Content-Type: application/json' \
    -d '{"code":"SLM0-9Slnm7bDgHOz-P6xNBkpyrRwnFupZyObSA_rUA","grant_type":"authorization_code","redirect_uri":"http%3A%2F%2F192.168.144.133%2Fcgi-bin%2Faddrule.sh","client_id":"5ee574b6-6929-437b-8f39-ec82ffc4e15b","client_secret":"r5wCNW0NNgmuzx2LNjfT1l7RlviZ3X8QOBk55iR7mWM"}' "http://localhost:9011/oauth2/token"

* Trying :: 1 ...
* TCP_NODELAY set
* Connected to localhost (:: 1) port 9011 (# 0)
> POST / oauth2 / HTTP / 1.1 token
> Host: localhost: 9011
> User-Agent: curl / 7.61.1
> Accept: * / *
> Content-Type: application / json
> Content-Length: 212
>
* upload completely sent off: 212 out of 212 bytes
<HTTP / 1.1 400
<Content-Type: application / json; charset = UTF-8
<Content-Length: 141
<Date: Fri, 17 Jul 2020 15:23:01 GMT
<Connection: close
<
* Closing connection 0
{"error": "invalid_request", "error_description": "The request is missing a required parameter: grant_type", "error_reason": "missing_grant_type"}

what am I doing wrong?
I have searched for grant_type around, but have not found anything interesting.

viola.mauro

Hello.
No one?

dan

@viola-mauro said in Authentication for a cgi-bin:

my goal is to start a .sh or .py file on the server after successful authentication.

Hello.

I"m not quite sure what you're trying to do. Are you trying to use the authorization code grant? In this case, I'd suggest working through the 5 minute startup guide. The code there is in JavaScript but can probably be translated over to python pretty easily: https://fusionauth.io/docs/v1/tech/5-minute-setup-guide

Or do you want to have an action be fired off whenever someone logs in? In this case you probably want to look at webhooks: https://fusionauth.io/docs/v1/tech/events-webhooks/

viola.mauro

Hello.

@dan said in Authentication for a cgi-bin:

I"m not quite sure what you're trying to do.

maybe I don't know either.

without going into too much detail, the aim is to allow authenticated users to browse the Internet: the server where FusionAuth is installed will act as a firewall / gateway. Basically when a user is authenticated the executed script will create the appropriate rules via iptables.
so every time a user authenticates, something happens.
this something must know from which IP the request is made.

to answer your question: yes, I want to have an action (structured, complex) be fired off whenever someone logs in.

I repeat, maybe I'm wrong approach since I don't know the product, but I thought the best thing was to run a script after authentication. however I have to check that the call to the script is valid (authenticated user). If I authenticate via browser and then try to run the curl command (to simulate what the script would do) I get the error "The request is missing a required parameter: grant_type".
In the meantime, I'd like to understand what I'm wrong, that is why this error comes out: personal curiosity.
If there are simpler solutions to do what I need (events and webhooks) all the better.

After your suggestion I studied some webhooks (which I didn't know).
I created one, linked to the user.login.success event. If I didn't get it wrong, when this event goes off, it will visit a URL protected via basic auth, in this way I should be okay. I don't care about passing data, I just run the script. If I do it with the button (Webhooks-> Test-> Send events) everything works, if instead I perform the authentication nothing happens. there is no json handling in the script: I just run it, but it doesn't run.

I think I need to response with a status code of 200.

I don't know ... something is missing. maybe something big.

dan

Thanks for the explanation. This is a really interesting use of FusionAuth and if you ever put it in a blog post, I'd read it! Or if you wanted to write a guest post for us, please let us know.

So I think what you want to do is definitely use a webhook on login success. You may want to examine the object to know which user authenticated, if your script needs to know that, and how they authenticated, in case that matters (password, SSO, etc).

One thing that has caught me out when creating webhooks is that you need to enable them at both Settings -> Webhooks, which is where you configure the actual hook endpoint, and at Tenant -> Webhooks, which is where you specify which events to fire for this tenant. There's also an application level of configuration for webhooks, if needed.

Can you please confirm that you configured webhooks in both the Settings and the Tenant screens? Not doing so may be the root cause of the issue you are seeing.

viola.mauro

Gladly, Dan.

Returning to the problem.
I have also enabled webhooks under Tenants: nothing to do. From System-> Event log, I see the start of the webhook only if I test it with the appropriate button.
Never following the login event.

In any case, the problem remains. That is, even if I trigger the webhook, I still have to find the information I need and therefore I should run the various POST commands (with curl) to interface with the API: find the token, from this the IP of the request, etc.
So the command:

curl -v -X POST \
    -H 'Content-Type: application/json' \
    -d '{"code":"SLM0-9Slnm7bDgHOz-P6xNBkpyrRwnFupZyObSA_rUA","grant_type":"authorization_code","redirect_uri":"http%3A%2F%2F192.168.144.133%2Fcgi-bin%2Faddrule.sh","client_id":"5ee574b6-6929-437b-8f39-ec82ffc4e15b","client_secret":"r5wCNW0NNgmuzx2LNjfT1l7RlviZ3X8QOBk55iR7mWM"}' "http://localhost:9011/oauth2/token"

it is in any case to be performed and always returns me:
"error": "invalid_request", "error_description": "The request is missing a required parameter: grant_type", "error_reason": "missing_grant_type"

It's probably bullshit.
But I don't see it.

viola.mauro

I have tried also in Python:

Error 401.

I do not understand.
Or rather: I understand that I continue to make a mistake.
A logical or method error.

viola.mauro

For python I have resolved.
with copy&paste I changed the order of parameters!
Now it works. My mistake.

dan

Ah, sorry to hear about your frustration, but glad you got it working!

robotdan

Sounds like @viola-mauro you've got this all working.

For anyone else that may be interested, we do have an apache module, that seems to be similar to what you're trying to do.

https://github.com/FusionAuth/fusionauth-mod-authnz-external