2 Replies Latest reply on Nov 27, 2017 10:30 AM by patrick.byrne.0

    Integrating Tableau Server with OpenID Connect

    Mateusz Wuzynski

      Hi all,

      I'm configuring Tableau Server to use OpenID Connect as an authentication method. I set correct clientId, clientSecret and OpenID Connect configuration URL in Tableau Server configuration, but following exception is thrown by Tableau while entering login page:

      2017-11-17 07:36:21.306 +0000 (-,-,-,Wg6RdQoJC@QAAC80ALYAAAGs) catalina-exec-1 : ERROR com.tableausoftware.api.webclient.WebClientGetAuthenticationController - WebClientGetAuthenticationController failed during OpenID login attempt

      com.tableausoftware.domain.exceptions.AuthenticationException: retrieving identity provider metadata from http://<host>:<port>/api/openid/configuration failed (errorCode=10060)

      at com.tableausoftware.domain.user.openid.OpenIDMetadataHandler.requestOIDCMetadata(OpenIDMetadataHandler.java:150)

      at com.tableausoftware.domain.user.openid.OpenIDMetadataHandler.getProviderMetadata(OpenIDMetadataHandler.java:74)

      at com.tableausoftware.domain.user.openid.OpenIDConnectHelper.composeRedirectToIdentityProvider(OpenIDConnectHelper.java:138)

      at com.tableausoftware.domain.user.service.AuthenticationService.openIDConnectLoginInitialRequestHandler(AuthenticationService.java:198)

      at com.tableausoftware.model.workgroup.auth.LoginAppService.openIDConnectLoginInitialRequestHandler(LoginAppService.java:272)

      at com.tableausoftware.api.webclient.WebClientGetAuthenticationController.openIdInitLoginHandler_aroundBody8(WebClientGetAuthenticationController.java:505)

      at com.tableausoftware.api.webclient.WebClientGetAuthenticationController$AjcClosure9.run(WebClientGetAuthenticationController.java:1)

      at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

      at com.tableausoftware.instrumentation.InstrumentedMethod.instrumentInvocation(InstrumentedMethod.java:66)

      at com.tableausoftware.instrumentation.InstrumentationAspect.aroundAnnotatedMethod(InstrumentationAspect.java:57)

      at com.tableausoftware.api.webclient.WebClientGetAuthenticationController.openIdInitLoginHandler(WebClientGetAuthenticationController.java:478)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:498)

      at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)

      at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136)

      at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:114)

      at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827)

      at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738)

      at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)

      at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:963)

      at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:897)

      at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)

      at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)

      at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at com.tableausoftware.core.controller.RelativeRedirectFilter.doFilter(RelativeRedirectFilter.java:62)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2549)

      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2538)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

      at java.lang.Thread.run(Thread.java:748)

      Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key "subject_types_supported"

      at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:92)

      at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getList(JSONObjectUtils.java:370)

      at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getStringArray(JSONObjectUtils.java:388)

      at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1630)

      at com.tableausoftware.domain.user.openid.OpenIDMetadataHandler.requestOIDCMetadata(OpenIDMetadataHandler.java:144)

      ... 54 more

      You might say that error message is pretty straight-froward, but here is response from endpoint:

      $ curl -v http://<host>/api/openid/configuration

      *   Trying <host>...

      * Connected to <host> (<host>) port <port> (#0)

      > GET /api/openid/configuration HTTP/1.1

      > Host: <host>:<port>

      > User-Agent: curl/7.47.0

      > Accept: */*

      >

      < HTTP/1.1 200

      < Access-Control-Allow-Origin: *

      < Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE

      < Access-Control-Max-Age: 3600

      < Access-Control-Allow-Headers: Access-Control-Allow-Credentials, X-Requested-With, Authorization, Content-Type, Access-Control-Allow-Origin, Cache-Control, X-Frame-Options

      < X-Content-Type-Options: nosniff

      < X-XSS-Protection: 1; mode=block

      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate

      < Pragma: no-cache

      < Expires: 0

      < X-Frame-Options: DENY

      < Content-Type: application/json;charset=UTF-8

      < Transfer-Encoding: chunked

      < Date: Fri, 17 Nov 2017 08:58:46 GMT

      <

      * Connection #0 to host <host> left intact

      {"issuer":"http://<host>/","authorization_endpoint":"http://<host>/oauth/authorize","token_endpoint":"http://<host>/oauth/token","userinfo_endpoint":"http://<host>/api/openid/userinfo","response_types_support":["code","token","id_token"],"scopes_supported":["openid"],"token_endpoint_auth_methods_support":["client_secret_basic"],"claims_supported":[],"subject_types_supported":["public"]}

      As you can see "subject_types_supported" is present in response and content type is set to application/json.

       

      I'm running Tableau Server 10.4.1

       

      Has anyone encountered this or similar problem?

       

      Thanks in advance,

      Mateusz