Not Authorized/Introspection failure

anon-810 · September 11, 2020, 7:35am

I thought I should open a new thread on this rather than continuing on from my previous one :) Incidentally, I've now moved the sample app onto it's own server running on port 443, so that there is no problem with the port and the IAM redirect_uri, which I was experiencing in my other post.

Whilst trying to run the cfgtest sample app I am currently experiencing the error:

[08D8:0007-0D9C] 11/09/2020 09:16:25 PROTON: NotAuthorized: Attempt by Sample App/cryptsharedev to create Act-as-User, introspection failure

The app shows in the browser without values as follows:

----------------------------------------------------------------------------------

Hello, Heidi Harding!

domino-das results

These are your calendar events. This data comes through the Node.js application which make a DAS request to the current user's mail file on the Domino server.

domino-db results

These are two documents that were created by the Node.js application using the domino-db module. One document shows the application as the author. The other document shows the current user as the author.

----------------------------------------------------------------------------------

The DSAPI filter appears to be loading ok:

[1A88:0002-1D7C] 11/09/2020 09:24:55 HTTP Server: Using Web Configuration View
[1A88:0002-1D7C] 11/09/2020 09:24:59.65 oauth-dsapi::InitializeExtension> gPrintDbgInfo=1.
[1A88:0002-1D7C] 11/09/2020 09:24:59.65 OAauth2Client> Debug set to 0
[1A88:0002-1D7C] 11/09/2020 09:24:59.70 oauth-dsapi::InitializeExtension> OAuth2ClientCreation status No error
[1A88:0002-1D7C] 11/09/2020 09:24:59.70 oauth-dsapi::FilterInit> Initializing ...
[1A88:0002-1D7C] 11/09/2020 09:24:59 JVM: Java Virtual Machine initialized.
[1A88:0002-1D7C] 11/09/2020 09:24:59 HTTP Server: Java Virtual Machine loaded
[1A88:0002-1D7C] 11/09/2020 09:24:59 HTTP Server: DSAPI OAuth DSAPI Filter version 0.7.0 Loaded successfully
[1A88:0002-1D7C] 11/09/2020 09:24:59.87 CSRF Init: iNotes_WA_Security_ReturnUrlCheck> c_CSRFReturnUrlCheck: 1

oathcfg list shows:

name:default id:3957c7d4-0b73-4f33-b89c-8a923f5d0901 URI:https://nodevdom04.cryptsharedev.local:7443/token/introspection
name:proton-addin id:d2d690d0-71c2-4857-820c-1e4f2a692b9f URI:https://nodomdev04.cryptsharedev.local:7443/token/introspection

I've enabled the options:

DEBUG_OAUTH_DSAPI=1
PROTON_TRACE_SESSION=1

The console shows:

[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context2: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::init: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::init: subject: CN=sampleapp/O=CryptshareDev
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::init: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::lookup: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 0 (was 65553)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::lookup: lookup found: CN=Sample App/O=cryptsharedev
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Certificate::lookup: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::get_password_from_request: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::get_password_from_request: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context2: rc=0 client_cert_auth
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context2: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context: rc=0 init
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_server_context: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token2: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65536
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 0 (was 65536)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Token::lookup: enter
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 0 (was 65553)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553 (was 0)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: NotAuthorized: Attempt by Sample App/cryptsharedev to create Act-as-User, introspection failure
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Token::lookup: rc=65553 error from introspection
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Token::lookup: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553 (was 0)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token2: rc=65553 token.lookup
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token2: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token: rc=65553 Session::init_via_behalfof_token()
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: Session::init_via_behalfof_token: exit
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553 (was 0)
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553
[08D8:0007-0D9C] 11/09/2020 09:26:55 PROTON: ReturnCode = 65553 (was 0)

I've ensured that the ACLs on the sample.nsf are correct and that the Sample App/Cryptshare dev user has the _ActAsUser role added.

Kind regards
Heidi

anon-810 · September 17, 2020, 2:11pm

I should just mention that I still have this error, but the reason the domino-das results section was empty was because my calendar had no entries in it :) As soon as I created a calendar entry, this showed up.

So the introspection failure is just occuring with the domino-db results section

anon-810 · September 29, 2020, 11:42am

I've fixed the issue.

It appears to be a bug in the proton addon not reading the value for IAMClientConfigName field that is set in the adpconfig.nsf. Additionally setting PROTON_IAMCLIENT_CONFIG_NAME would not override the value.

When I was researching PROTON_IAMCLIENT_CONFIG_NAME which was the predecessor to the database version, I saw that if it had no value, then a default of "proton" would be used.

I therefore recreated my resource provider with that name and updated the oauthcfg configuration and also the field in the adpconfig.nsf and this now works.

I had previously named the provider proton-addin as shown here: https://doc.cwpcollaboration.com/appdevpack/docs/en/setup-guide-aauproton.html

Hope this helps!
Heidi