1
363

Written by

Daniel Goerke
Developer at globalerp.de GmbH
Follow
Question Daniel Goerke · Nov 20, 2024

OAuth2 with Microsoft

#InterSystems IRIS

Hello Community,

I'm starting to explore OAuth2 and, as a first step, I want to set up an OAuth2 authentication with Microsoft. I've created a small sample page that attempts to sign in with Microsoft. However, after entering the user credentials, the redirection doesn't work.


 
Die Einstellungen im Managment Portal sehen wie folgt aus:
System>Security Management>OAuth 2.0 Client>Create Server Description:
   
System>Security Management>OAuth 2.0 Client>Client Configurations
 

The redirect URI is also registered in Azure, and the web application "/csp/sys/oauth2" is activated.

What could be the reason that it's still not working?

Best regards,
Daniel Goerke

Product version: IRIS 2024.1
$ZV: IRIS for Windows (x86-64) 2024.1.1 (Build 347_0_23678U) Mon Sep 16 2024 18:42:43 EDT
Discussion (5)5
Log in or sign up to continue

Comments

Tani Frankel · Nov 20, 2024

I suggest turning on relevant logging which could provide you with more details as to what is happening behind the scenes and what might be the problem.

See an example in @Daniel Kutac post.

0
Scott Roth · Nov 20, 2024

I second the suggestion to turn on ISCLOG and FHIRServer logging within the globals to verify what your connection is trying to do, or you can try it from a Terminal Prompt (OAuth 2.0 Client | HealthShare Health Connect 2023.1) as well...

It could be the scope, grant type, or authentication...

0
Daniel Goerke · Nov 25, 2024

@Tani Frankel, @Scott Roth 
I have activated the relevant logging and implemented a small function to log the requests. Below, I will share both log outputs.
It appears that not all parameters are being passed to the OAuth2.Response class. At the moment, I am unsure what might be causing this issue.
IRIS Log:

 

Spoiler

**OAuth2-3 2024-11-25 10:01:55.9119078 ns=%SYS routine=%OAuth2.Utils.1 job=2228 sessionid=E5RZL9jf5N
[OAuth2.Response:OnPreHttp]CSP Request
data="Content-Type: , Secure: 1, Method: GET"
data("Cookie","CSPWSERVERID")="B22rIedt"
data("Header","HTTP_ACCEPT")="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
data("Header","HTTP_ACCEPT_ENCODING")="gzip, deflate, br, zstd"
data("Header","HTTP_ACCEPT_LANGUAGE")="de,en-US;q=0.7,en;q=0.3"
data("Header","HTTP_CONNECTION")="close"
data("Header","HTTP_COOKIE")="CSPWSERVERID=B22rIedt"
data("Header","HTTP_HOST")="192.148.150.2"
data("Header","HTTP_PRIORITY")="u=0, i"
data("Header","HTTP_REFERER")="https://login.microsoftonline.com/"
data("Header","HTTP_SEC_FETCH_DEST")="document"
data("Header","HTTP_SEC_FETCH_MODE")="navigate"
data("Header","HTTP_SEC_FETCH_SITE")="cross-site"
data("Header","HTTP_TE")="trailers"
data("Header","HTTP_UPGRADE_INSECURE_REQUESTS")=1
data("Header","HTTP_URL")="/csp/sys/oauth2/OAuth2.Response.cls?code=1.AYEAtoU960T0LUeMM9-jlwzKSY07FhnHjcpHk9JJyAG7N7SBABGBAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P_nJfgQz1opSREZfNM1YsYhPyuy0eYAH2xqi-Odzkaw5BA3RJf6UZGdbO9935qz901QO-ot0t8nEZm30vLXzpYGE4D_Ka4IneG0Dr-S5vthEvtwuAi241Ej3TG7xM_3ig-NKio29-pAJ-8N_5w7aZ4V97G0rZLmFmjcPW1EzvjOBRw8PBrbm-q69vgaV0z9iRX5m4P3PDwkWpP0anUbHfrEUfVyfekxrz9EVGQFbiib0zQI0ih1R4HvUIpaVsh195Vz7NL82q5m-nl1bcQ4q64m7-LP_QQZ9p16Wgcqjaj9OyXw58uMUl2bLB4fS89mDpuZc3EsqPQrKlZlx-U4ADkXw-ydpc4Oxq1ajyDdU5opTH3jZJ3wUBlQlDQxBCjeYq7Z3ptDfMNCIwV5axpqTsXM2R5UcPQidCE-cz58YMDjM0akKvkpJ05H2c-0VzXg61c_-gNXuyMwtxBOyywRwS-Sqx6yAryJQv_XVuF2xGpI5MDEo1rhBVZbq4M69VsTR69YXDZylyRJBaH78QqmfZWr5Qd4_czyfp4TiymMF-cA-dJ2MFSNEOCoZlygc0HMOvqkz1-A_ar4mYFVDSC2uEcN_W4e9hg08a-NQUcZtcUo8PfmGQArByfQC10IMBRqrQtH2Y_mMbuVxIYvjkKDkN6iibFZbrNGI7yUke7Q5uKcNdhwrCsQ6Vy8xOsDwRwTGblFXpHD13z_K6KubKA5uvlCzvgHpjhHoekjzPgjdufY7sEFf-Yy&session_state=eaaef793-3d71-420c-af01-faf608f1086a"
data("Header","HTTP_USER_AGENT")="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0"
data("Header","HTTP_VERSION")="HTTP/1.1"
data("code",1)="1.AYEAtoU960T0LUeMM9-jlwzKSY07FhnHjcpHk9JJyAG7N7SBABGBAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P_nJfgQz1opSREZfNM1YsYhPyuy0eYAH2xqi-Odzkaw5BA3RJf6UZGdbO9935qz901QO-ot0t8nEZm30vLXzpYGE4D_Ka4IneG0Dr-S5vthEvtwuAi241Ej3TG7xM_3ig-NKio29-pAJ-8N_5w7aZ4V97G0rZLmFmjcPW1EzvjOBRw8PBrbm-q69vgaV0z9iRX5m4P3PDwkWpP0anUbHfrEUfVyfekxrz9EVGQFbiib0zQI0ih1R4HvUIpaVsh195Vz7NL82q5m-nl1bcQ4q64m7-LP_QQZ9p16Wgcqjaj9OyXw58uMUl2bLB4fS89mDpuZc3EsqPQrKlZlx-U4ADkXw-ydpc4Oxq1ajyDdU5opTH3jZJ3wUBlQlDQxBCjeYq7Z3ptDfMNCIwV5axpqTsXM2R5UcPQidCE-cz58YMDjM0akKvkpJ05H2c-0VzXg61c_-gNXuyMwtxBOyywRwS-Sqx6yAryJQv_XVuF2xGpI5MDEo1rhBVZbq4M69VsTR69YXDZylyRJBaH78QqmfZWr5Qd4_czyfp4TiymMF-cA-dJ2MFSNEOCoZlygc0HMOvqkz1-A_ar4mYFVDSC2uEcN_W4e9hg08a-NQUcZtcUo8PfmGQArByfQC10IMBRqrQtH2Y_mMbuVxIYvjkKDkN6iibFZbrNGI7yUke7Q5uKcNdhwrCsQ6Vy8xOsDwRwTGblFXpHD13z_K6KubKA5uvlCzvgHpjhHoekjzPgjdufY7sEFf-Yy"
data("session_state",1)="eaaef793-3d71-420c-af01-faf608f1086a"

**OAuth2-2 2024-11-25 10:01:55.9126365 ns=%SYS routine=%OAuth2.Utils.1 job=2228 sessionid=E5RZL9jf5N
[OAuth2.Response:OnPreHttp]Error: FEHLER #8861: Unerwartete Parameter in umgeleiteter Zugriffstokenantwort: Unexpected state parameter: .

Request Log:

 

Spoiler

HandleRequest started
Timestamp: 2024-11-25 11:01:55
Received parameters:
parameter code: 1.AYEAtoU960T0LUeMM9-jlwzKSY07FhnHjcpHk9JJyAG7N7SBABGBAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P_nJfgQz1opSREZfNM1YsYhPyuy0eYAH2xqi-Odzkaw5BA3RJf6UZGdbO9935qz901QO-ot0t8nEZm30vLXzpYGE4D_Ka4IneG0Dr-S5vthEvtwuAi241Ej3TG7xM_3ig-NKio29-pAJ-8N_5w7aZ4V97G0rZLmFmjcPW1EzvjOBRw8PBrbm-q69vgaV0z9iRX5m4P3PDwkWpP0anUbHfrEUfVyfekxrz9EVGQFbiib0zQI0ih1R4HvUIpaVsh195Vz7NL82q5m-nl1bcQ4q64m7-LP_QQZ9p16Wgcqjaj9OyXw58uMUl2bLB4fS89mDpuZc3EsqPQrKlZlx-U4ADkXw-ydpc4Oxq1ajyDdU5opTH3jZJ3wUBlQlDQxBCjeYq7Z3ptDfMNCIwV5axpqTsXM2R5UcPQidCE-cz58YMDjM0akKvkpJ05H2c-0VzXg61c_-gNXuyMwtxBOyywRwS-Sqx6yAryJQv_XVuF2xGpI5MDEo1rhBVZbq4M69VsTR69YXDZylyRJBaH78QqmfZWr5Qd4_czyfp4TiymMF-cA-dJ2MFSNEOCoZlygc0HMOvqkz1-A_ar4mYFVDSC2uEcN_W4e9hg08a-NQUcZtcUo8PfmGQArByfQC10IMBRqrQtH2Y_mMbuVxIYvjkKDkN6iibFZbrNGI7yUke7Q5uKcNdhwrCsQ6Vy8xOsDwRwTGblFXpHD13z_K6KubKA5uvlCzvgHpjhHoekjzPgjdufY7sEFf-Yy
parameter state: eaaef793-3d71-420c-af01-faf608f1086a
parameter error:
parameter access_token:
parameter id_token:
--------------------------------------------------------
0
Alexander Koblov · Nov 25, 2024

Hi Daniel.

This 404 error shows IIS page. For the debugging purposes the recommendation is to enable PassThrough responses in IIS: https://docs.intersystems.com/iris20242/csp/docbook/DocBook.UI.Page.cls?KEY=GCGI_webserver#GCGI_configiis_soapfault

IRIS returns 404 when the page or class does not exist, and when PROTECT error happens.

So enable the PROTECT events in the Audit, and check if anything is logged there

Check that IIS is configured correctly to forward the request that returns 404 to the Web Gateway and then IRIS

0