OHDSI Home | Forums | Wiki | Github

Error when trying to use Google authentication with Atlas

Developers
#1

We have an Atlas instance set up and running, which works fine. Now I’ve been trying to enable security, by using Google authentication initially, but I have not succeeded quite yet. I do feel that I’m almost there, but the callback from Google upon successfully authenticating a user still fails.

I have tried to follow the documentation available on the Wiki and GitHub, including the security page on the OHDSI wiki http://www.ohdsi.org/web/wiki/doku.php?id=development:security

#####Briefly, these are the steps taken so far:

  1. Registered/assigned a domain name to the server (atlasdemo.xyz)
  2. Set up an ‘OAuth 2.0 client ID’ (Web application) using Google’s API Manager:
    - Authorized origin: > http://atlasdemo.xyz
    - Authorized redirect: http://atlasdemo.xyz:8080/WebAPI/user/oauth/callback?client_name=Google2Client
  3. Configured the security block of the WebAPI settings.xml file and rebuilt the WebAPI.war file:

<security.enabled>true</security.enabled>
<security.token.expiration>43200</security.token.expiration>
<security.origin>http://atlasdemo.xyz</security.origin>
<security.ssl.enabled>false</security.ssl.enabled>
<security.oauth.callback.ui>http://atlasdemo.xyz/atlas/#/welcome</security.oauth.callback.ui>
<security.oauth.callback.api>http://atlasdemo.xyz:8080/WebAPI/user/oauth/callback</security.oauth.callback.api>
<security.oauth.google.apiKey>[api key from 2]</security.oauth.google.apiKey>
<security.oauth.google.apiSecret>[api secret from 2]</security.oauth.google.apiSecret>
<security.oauth.facebook.apiKey></security.oauth.facebook.apiKey>
<security.oauth.facebook.apiSecret></security.oauth.facebook.apiSecret>

  1. Set the config.userAuthenticationEnabled flag to true in Atlas’ config.js file.
  2. Also made a small change in the welcome.js file to enable the Google authentication to be called when the Google button was clicked, would otherwise always call the Windows authentication.

It now shows the Sign in link in Atlas, and when clicked, I can choose Google for the Sign In with option, which takes me to Google’s account sign-in screen, where I can authenticate with my Google account. However, once authenticated, Google tries to call the Authorized redirect URL, appending status and code values – this fails with a 500 – Internal server error. The callback UR is of the following format:

http://atlasdemo.xyz:8080/WebAPI/user/oauth/callback?client_name=Google2Client&state=dbdb08cdd8&code=4%2FH7UgAuOCNKfkTvG01xKZHXye3-Mt_dggBFo6ruByOwI

If I strip off the state and code parameters, the URL redirects to the Atlas home page.

Is SSL required on the Atlas server in order to enable authentication? This is as of yet a demo/test setup, so securing the server with SSL has not been a priority yet.

Has anyone been able to get this to work with Google authentication, or spot anything I’ve overlooked?

#2

Hi @lhalvors,
I’m sorry I’m not able to answer all your questions (and hopefully the people who were directly involved with the security implementation can chime in here) but as far as requiring SSL, I think it was implemented to not require SSL enabled, although it is very strongly recommended you do so for your production environment (even a shared demo). This is because if you do not do this, your OAUTH credentials will be sent plain text over the network, and they could be intercepted. But, this requires the additional efforts of setting up a SSL certificate on your Java Servlet container (such as tomcat). The usecase for disabled-SSL is in a local dev moode where you don’t want the hassle of setting up certs and SSL. But again, and I can not stress this enough, do not deploy security enabled ATLAS on a non-SSL port.

As far as the issues with the Google auth, I don’t have that information.

-Chris

#3

Hi @lhalvors, @all,

I would like to setup Google authentication in Atlas/WebAPI, and I would like to know if you managed to do it or if you can point me to any useful documentation, I have deployed the helm-based installation

so I would prefer to do it via environment variables rather than editing the settings.xml

any idea?

Alberto

t