mart

mart

I'm trying to configure FusionAuth with kickstart for a project in need of OIDC support, but I've been having some issues getting it configured properly through docker-compose.

My issue is that I want to define the application client secret in my environment, since my application needs to know this for the flow to work. I therefore experimented with something like this in my kickstart.json:

{
  "variables": {
    "adminPassword": "#{ENV.FUSIONAUTH_ADMIN_PASSWORD}",
    "adminEmail": "#{ENV.FUSIONAUTH_ADMIN_EMAIL}",
    "projectApplicationId": "#{ENV.FUSIONAUTH_PROJECT_APPLICATION_ID}",
    "appClientSecret:": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_SECRET}",
    "applicationClientId": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_ID}",
    "authorizedRedirectUrls": "#{ENV.FUSIONAUTH_AUTHORIZED_REDIRECT_URLS}",
    "apiKey": "#{ENV.FUSIONAUTH_API_KEY}",
    "idpId": "#{ENV.FUSIONAUTH_IDP_ID}",
    "logoutUrl": "#{ENV.FUSIONAUTH_LOGOUT_URL}",
    "oidcIssuer": "#{ENV.OIDC_ISSUER}",
    "oidcClientId": "#{ENV.OIDC_CLIENT_ID}",
    "oidcClientSecret": "#{ENV.OIDC_CLIENT_SECRET}",
    "oidcScope": "#{ENV.OIDC_SCOPE}"
  },
  "apiKeys": [
    {
      "key": "#{apiKey}"
    }
  ],
  "requests": [
    {
      "method": "POST",
      "url": "/api/application/#{projectApplicationId}",
      "body": {
        "application": {
          "active": true,
          "name": "Test App",
          "roles": [
            {
              "description": "Test App system administrator",
              "name": "admin"
            },
            {
              "description": "Test App user",
              "name": "user"
            }
          ],
          "oauthConfiguration": {
            "authorizedRedirectURLs": ["#{authorizedRedirectUrls}"],
            "clientAuthenticationPolicy": "Required",
            "enabledGrants": ["authorization_code", "refresh_token"],
            "clientId": "#{applicationClientId}",
            "clientSecret": "#{appClientSecret}",
            "generateRefreshToken": true,
            "logoutBehavior": "AllApplications",
            "logoutURL": "#{logoutUrl}",
            "proofKeyForCodeExchangePolicy": "NotRequired"
          }
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/user/registration",
      "body": {
        "user": {
          "email": "#{adminEmail}",
          "password": "#{adminPassword}"
        },
        "registration": {
          "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
          "roles": ["admin"]
        }
      }
    },
    {
      "method": "POST",
      "url": "/api/identity-provider/#{idpId}",
      "body": {
        "identityProvider": {
          "applicationConfiguration": {
            "#{projectApplicationId}": {
              "createRegistration": true,
              "enabled": true
            }
          },
          "oauth2": {
            "issuer": "#{oidcIssuer}",
            "client_id": "#{oidcClientId}",
            "client_secret": "#{oidcClientSecret}",
            "clientAuthenticationMethod": "client_secret_basic",
            "scope": "#{oidcScope}"
          },
          "buttonText": "Login with OpenID Connect",
          "debug": false,
          "enabled": true,
          "name": "OpenID Connect Provider",
          "type": "OpenIDConnect"
        }
      }
    }
  ]
}

The problem is that an error is thrown by DefaultKickstartService when the docker container is started:

2022-04-01 12:34:47.555 PM ERROR io.fusionauth.api.service.system.kickstart.DefaultKickstartService - You may not use an undefined variable. Found #{appClientSecret} but this was not provided in the variables section.

But "appClientSecret" is clearly defined, and in the docker environment I can confirm that the environment variable it's bound to is defined together with all of the other variables. Removing the "clientSecret" property from the request allows FusionAuth to start as expected without any issues.

Can someone explain why it's undefined?

Misc info:

I'm pulling latest for fusionauth-app
Pulling postgres:11.9-alpine
MacOS 12.3 (Intel)

Thanks a lot!

mart

I've been running FusionAuth in NestJS using the Typescript client without much issue for a while. Recently we decided to try using it in a new project with Ktor, so we tried the Java client and ran into an issue which we were able to resolve quite easily in NodeJS but is giving me somewhat of a headache now.

I'm running my local FusionAuth instance behind a dockerized instance of nginx to mimic our production environment as much as I can (very small projects, so this is all fine). This involves some self-signed certificates. Just setting rejectUnauthorised: false in development mode on the HTTPS agent did the trick in NestJS for making the client swallow the SSL verification complaints, but things don't seem to be as easy with Ktor/Java. Implementing a "trust-all" TrustManager doesn't seem to do the trick, and neither does providing Ktor with a custom JKS. I'm still getting a PKIX path building failed: unable to find valid certification path to requested target error.

I'm just wondering if anyone has managed to find a way to make the FusionAuth Java client ignore SSL verification, or if using the REST API with a configured HTTP client is the only way to go.

mart

@dan Yes, it works with a hardcoded secret. It kickstarts as normal, and I can see it when logging in and inspecting the application.

I'll just walk through what I'm doing:

I'll define both variables in my .env:

FUSIONAUTH_APPLICATION_CLIENT_SECRET=myclientsecret749653
FUSIONAUTH_APPLICATION_CLIENT_ID=...

In my docker-compose.yaml I define them under the environment:

...
FUSIONAUTH_APPLICATION_CLIENT_SECRET:'${FUSIONAUTH_APPLICATION_CLIENT_SECRET}'
FUSIONAUTH_APPLICATION_CLIENT_ID: '${FUSIONAUTH_APPLICATION_CLIENT_ID}'
...

And in my kickstart.json I define them in the variable block:

...
"applicationClientSecret:": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_SECRET}",
"applicationClientId": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_ID}",
...

And then in the oauthConfiguration block for the application I define it like this.

"oauthConfiguration": {
   "authorizedRedirectURLs": ["#{authorizedRedirectUrls}"],
   "clientAuthenticationPolicy": "Required",
   "enabledGrants": ["authorization_code", "refresh_token"],
   "clientId": "#{applicationClientId}",
   "clientSecret": "#{applicationClientSecret}",
   "generateRefreshToken": true,
   "logoutBehavior": "AllApplications",
   "logoutURL": "#{logoutUrl}",
   "proofKeyForCodeExchangePolicy": "NotRequired"
}

The clientId defined exactly like the clientSecret from env to kickstart, but it for some reason isn't parsed as a variable.

If this is just me not using the API properly then I would expect something more descriptive.

mart

@joshua

Hi Josh,

My workaround is to leave it undefined in the kickstart config, and make a call to the application-endpoint and fetch the client secret that way whenever I need it. I haven't found another solution to the issue. I have read through the kickstart docs for defining environment variables, but could not find anything related to why this field isn't being parsed.

mart