TIBCO Spotfire Server with OpenID Connect authentication, discovery document URL will be ignored for the Identity providers that do not use HTTPS
Article ID: KB0076570
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.8 and higher |
Description
When OpenID Connect authentication is enabled on your TIBCO Spotfire Server, any identity provider (Okta, Google, Azure, etc) that uses HTTP will be ignored resulting in server startup failures. In this situation, the TIBCO Spotfire Server will fail to start, and the following would be seen in the server.log:
WARN 2019-12-02T05:02:58,706+0000 [*Initialization*] auth.oidc.OidcAuthenticator: OpenID Connect provider 'spotfire' has a configured discovery document URL (http://discoverdocumenturl/.well-known/openid-configuration) that doesn't use HTTPS, this provider will be ignored
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: The application is about to be shut down.
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: Shutting down TIBCO Spotfire Server. Uptime: 0 day(s), 0 hour(s), 0 minute(s), 0 second(s)
ERROR 2019-12-02T05:02:58,718+0000 [*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'oidcAuthenticator' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.auth.oidc.OidcAuthenticator]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: At least one provider must be enabled to use OpenID Connect authentication
WARN 2019-12-02T05:02:58,706+0000 [*Initialization*] auth.oidc.OidcAuthenticator: OpenID Connect provider 'spotfire' has a configured discovery document URL (http://discoverdocumenturl/.well-known/openid-configuration) that doesn't use HTTPS, this provider will be ignored
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: The application is about to be shut down.
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: Shutting down TIBCO Spotfire Server. Uptime: 0 day(s), 0 hour(s), 0 minute(s), 0 second(s)
ERROR 2019-12-02T05:02:58,718+0000 [*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'oidcAuthenticator' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.auth.oidc.OidcAuthenticator]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: At least one provider must be enabled to use OpenID Connect authentication
Issue/Introduction
When OpenID Connect authentication is enabled for the TIBCO Spotfire Server, any identity provider that uses HTTP will be ignored, resulting in server startup failures.
Resolution
To resolve, the value for discover document url for any of the OpenID providers must have HTTPS scheme and not HTTP. This is because OAuth 2.0 can only work with HTTPS and so therefore Spotfire also requires this by design.
OAuth 2.0, the substrate for OpenID Connect, outsources the necessary encryption to the Web’s built-in TLS (also called HTTPS or SSL) infrastructure, which is universally implemented on both client and server platforms. If in case the identity provider is using HTTP scheme, then you will need to configure HTTPS and import the same certificate into TIBCO Spotfire Server keystore to make it trusted.
OAuth 2.0, the substrate for OpenID Connect, outsources the necessary encryption to the Web’s built-in TLS (also called HTTPS or SSL) infrastructure, which is universally implemented on both client and server platforms. If in case the identity provider is using HTTP scheme, then you will need to configure HTTPS and import the same certificate into TIBCO Spotfire Server keystore to make it trusted.
Additional Information
Doc: Configuring OpenID Connect
External: OpenID Connect
Feedback
Yes
No
Powered by
