HTTP Resolver: bug / not working (v.3.8.1)

Hello!
I’m trying to configure an HTTP resolver but it seems to have an issue and is not working.

Here a PHP code to simulate an HTTP Endpoint for users: test1, test2 and test3:

<?php

if(isset($_GET['customerid'])) {

  $customerid = $_GET['customerid'];
  if($customerid === 'test1' || $customerid === 'test2' || $customerid === 'test3') {

    $user = array(
      'username' => $customerid,
      'email' => $customerid . '@test.com'
    );

    $json = json_encode($user);

    header('Content-Type: application/json');

    echo $json;
  }
  else {
    $exit = array(
      'success' => false
    );

    $json = json_encode($exit);
    header('Content-Type: application/json');
    echo $json;
  }
}
else {

  $exit = array(
    'success' => false,
    'message' => "BAD"
  );

  $json = json_encode($exit);
  header('Content-Type: application/json');
  echo $json;
}

?>

Here the HTTP Resolver config:

Endpoint (URL):
http://192.168.1.123/users.php
Method:
GET
Request Mapping (JSON format):
{"customerid": "{userid}", "accessKey": "secr3t!"}
Headers (JSON format):
{"Content-Type": "application/json; charset=UTF-8"}
Response Mapping (JSON format):
{"username": "{username}", "email": "{email}"}
Special Error Handling
[ENABLED]
Response contains (JSON format):
{"success": false}

Using the “Test HTTP Resolver” button with test1 the reply is:

{
  "email": "test1@test.com",
  "username": "test1"
}

and with test4 the reply is:

failed: Received an error while searching for user: test4

Now, going to create a token (Token → Enroll Token)

• While typing, looking at Endpoint server side (apache log), nothing happens and the response is always: “X No user found”

• Creating a Token for user test1 it’s ok (and I can see “GET /users.php?customerid=test1&accessKey=secr3t%21” for 4 times in the apache log)

• Creating a Token for user test4 privacyIDEA generate the token (even if the user is not present) but it is not shown (qrcode image).

This is the DEBUG

[2023-03-30 16:06:37,621][4078][139703774512704][DEBUG][privacyidea.lib.apps:132] we have got 115 characters left for the token label
[2023-03-30 16:06:37,621][4078][139703774512704][DEBUG][privacyidea.lib.resolver:181] Entering get_resolver_object with arguments ('business-http',) and keywords {}
[2023-03-30 16:06:37,621][4078][139703774512704][DEBUG][privacyidea.lib.resolver:181] Entering get_resolver_list with arguments () and keywords {'filter_resolver_name': 'business-http'}
[2023-03-30 16:06:37,621][4078][139703774512704][DEBUG][privacyidea.lib.resolver:196] Exiting get_resolver_list with result HIDDEN
[2023-03-30 16:06:37,622][4078][139703774512704][DEBUG][privacyidea.lib.resolver:194] Exiting get_resolver_object with result <HTTP_RESOLVER.HTTPResolver object at 0x7f0f3dfbc8e0>
[2023-03-30 16:06:37,664][4078][139703774512704][ERROR][privacyidea.lib.tokens.hotptoken:302] Traceback (most recent call last):
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/hotptoken.py", line 269, in get_init_detail
    goo_url = cr_google(key=otpkey,
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/log.py", line 190, in log_wrapper
    f_result = func(*args, **kwds)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/apps.py", line 139, in create_google_authenticator_url
    givenname=user_obj.info.get("givenname", ""),
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/user.py", line 311, in info
    userInfo = y.getUserInfo(uid)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/resolvers/HTTPResolver.py", line 136, in getUserInfo
    return self._getUser(userid)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/resolvers/HTTPResolver.py", line 234, in _getUser
    raise Exception('Received an error while searching for user: %s' % userid)
Exception: Received an error while searching for user: test4

[2023-03-30 16:06:37,665][4078][139703774512704][ERROR][privacyidea.lib.tokens.hotptoken:303] failed to set oath or google url: Exception('Received an error while searching for user: test4')
[2023-03-30 16:06:37,665][4078][139703774512704][DEBUG][privacyidea.lib.tokens.hotptoken:194] Exiting get_init_detail with result {'otpkey': {'description': 'OTP seed', '

• lastly, when I go to “Details for user test1 in realm …” there are no details (like email) and no request to HTTP Resolver (PHP/GET)

a) It works as designed that user searching is not possible. Usual HTTP API have no definition for searching users. The searching would have to done in the backend (i.e. in YOUR PHP mockup)

b) A token object is always created, this is necessary for later steps. The exception happens in the creation of the QR code. Obviously you have configured, that you want the username in the QR code, thus the creation of the QR code has to fail.

Hi!

Can someone tell me, how I could configure not to have the username in the QR-Code?

Denis

Try with a new enrollment → tokenlabel

Doc: Set label for a new enrolled Google Authenticator. Possible tags are < u > (user), < r > (realm), < s > (serial).

Thank you!

I created a policy:
name scope action realm user resolver client
pol1 enrollment { tokenlabel: <s> } [ test ] [] [ kc ] []

I tried also to change <s> to <r>, but there was no QR created either, when I tried to enroll a token for a keycloak user that wasn’t in the pi user list yet.

The “kc”-httpresolver showes the expected behaviour and delivers a json with the desired contents when I use the test button.

Seems, the default setting is tokenlabel: <s>

If you test with a username from passwordresolver the generated QR-Code contains the username only if you set tokenlabel: <u> in the policy. Otherwise it contains the serial.

Maybe, it is a bug anyway…

It is not. Maybe you are not capable of reading and understanding the documentation:

The default label in the QR code is the serial number. There is no username in the QR code unless a corresponding policy is set!

Also it is bad practice of you highjacking a totally differen post topic.

Hello @cornelinux,
I took time to do more tests.

a) It works as designed that user searching is not possible. Usual HTTP API have no definition for searching users. The searching would have to done in the backend (i.e. in YOUR PHP mockup)

Clear, this is not important, just to understand.

b) A token object is always created, this is necessary for later steps. The exception happens in the creation of the QR code. Obviously you have configured, that you want the username in the QR code, thus the creation of the QR code has to fail.

Ok, this really shouldn’t happen. My backend shouldn’t create a token for a non-existing user.

c) But there is another consideration, when I receive a validate like:

https://192.168.202.123/validate/check?user=test1&pass=123456&realm=test

privacyIDEA do not try to contact my HTTP Resolver (/users.php) again.

So, is it the only point where /users.php is used/called during the creation?
In this case I think there are no benefits and it would be easier to create it “without verification” (especially given the point “b” where the token object is always created).

Please help me to understand the benefits of HTTP Resolver, instead of a possible dummy module called “NOT CHECK Resolver” connector

Thank you very much

This really should not happen?

Ok, you are entitled to write your own management software in the way it should work out for you.

Mine was just a question to figure out what I didn’t understand in this resolver module.
I don’t understand what it should do and not do…

The HTTP Resolver is very generic.

As mentioned: Searching will very likely not work.
It is also not clear (depending on the HTTP interface) if and which attributes could be returned.

The very basic task of a resolver is

• I have a username.
• Give the username to the resolver
• The resolver returns a UID.
• privacyIDEA uses this UID to store tokens for this UID and find these tokens again.

Everything else around it, is additional beauty.

So this should basically work - resolve a distinct username to a UID.

Thank you @cornelinux for the explanation