Not Authorized error when using ActAsUser

anon-810 · July 16, 2021, 8:31am

I've managed to install AppDev pack numerous times now on various machines without (many) issues. Now that I am installing it into production, I am hitting a wall when trying to use cfgtest and getting the error below.

[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: NotAuthorized: Attempt by Sample App/####/DE to create Act-as-User, introspection failure
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Token::lookup: rc=65553 error from introspection
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Token::lookup: exit
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553 (was 0)
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Session::init_via_behalfof_token2: rc=65553 token.lookup
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Session::init_via_behalfof_token2: exit
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Session::init_via_behalfof_token: rc=65553 Session::init_via_behalfof_token()
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Session::init_via_behalfof_token: exit
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553 (was 0)
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: ReturnCode = 65553 (was 0)
[37F4:0009-3498] 16.07.2021 10:12:42   PROTON: Ses:S16018A25 Db:sample.nsf Req:BLKNT#-1 FindBy:#-1 RetCode:65553 NoteCount:0 TimeMS:16

The solution I mentioned previously in the forum (renaming the proton addin) has not worked this time.

Running the sample app works (the part without the access token) and documents are created, but the part with the token (on behalf of the user) always shows the introspection error above.

domino-db results These are two documents that were created by the Node.js application using the domino-db module. One document shows the application as the author. The other document shows the current user as the author.

{ “documents”: [ { “@unid”: “7AE1B271C14EEB83C1258714002D8218”, “@created”: { “type”: “datetime”, “data”: “2021-07-16T08:17:04.24Z” }, “@modified”: { “type”: “datetime”, “data”: “2021-07-16T08:17:04.25Z” }, “Field1”: “This document was created with the identity of the Application. See @created and $UpdatedBy fields.”, “$UpdatedBy”: { “type”: “text”, “data”: [ “CN=Sample App/O=#####/C=DE” ], “names”: true } } ], “errors”: 0, “documentRange”: { “total”: 1, “start”: 0, “count”: 1 } }

I have not installed the DSAPI parts, so I've edited the index.js not to run that bit.

Edit: I've checked the ACL on the sample.nsf, it's fine. I should also point out that proton uses a separate keyfile for its certs. We already have ssl setup in the original keystore.

Also, when I open the sample app in the browser, the redirecting to iam and back appears to be functioning ok.

I'm at a bit of a loss as to what to try next... anyone have any ideas?

Regards
Heidi

anon-1546 · July 16, 2021, 9:00am

This is (once again) most likely an SSL problem between Domino/Proton and IAM. Can you describe the setup you have here ? The Not Authorized error indicates that PROTON tries to access IAM to introspect the access token but can't verify the SSL certificate in the IAM response. Please make sure that you have the full certificate chain or at least the root certs that your IAM endpoints are using for SSL also imported in your proton kyr-file.

anon-810 · July 16, 2021, 9:23am

Hi Heiko,

I'm using a separate keyring for proton. It contains the root ca and the server cert. These were created using the examples in the documentation, so no chain. ptest runs fine. Proton itself seems to be working fine.

This is the output from the cfgtest app (I've added an additional console.log to check the id_token, which looks fine if I paste it into the debugger at jwt.io btw):

User was redirected to the auth route with code. Asking IAM for token.
Got token.
TokenSet {
access_token: 'AWNd7KavK****DJjHUnJm',
expires_at: 1626430098,
id_token: '***',
scope: 'openid',
token_type: 'Bearer'
}
Sending user back to app.
User is logged in but we have no auth token, Ask IAM for one.
Send user to IAM to authorize request.
User was redirected to the auth route with code. Asking IAM for token.
Got token.
TokenSet {
access_token: 'mtIg-***-7utQXdak-tZ6T',
expires_at: 1626430099,
id_token: '***',
scope: 'openid domino.proton.db.access das.calendar.read.with.shared',
token_type: 'Bearer'
}
Sending user back to app.

So, I am not seeing any SSL errors here...

The IAM server itself is running on the Domino server and is using the same SSL certs as Domino for its web interface. If I open the .well-known/openid-configuration directly, then, at least in the browser, there is no ssl error.

I am just typing this and wondering now if I need to import the root ca for the iam server into my proton keyring... I'll go try that :D

Regards
Heidi

anon-810 · July 16, 2021, 9:29am

Yep, that fixed it. Thanks again Heiko!