Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Spotfire Server fails to start with OpenID Connect authentication when Discovery Document URL is not using HTTPS

Rich Talbot
  • Updated

 

Problem:

In Spotfire Server with OpenID Connect authentication, Discovery Document URL will be ignored for the Identity providers that do not use HTTPS, resulting in Spotfire Server failing to start.

 

Solution:

When OpenID Connect authentication is enabled on your Spotfire Server, any identity provider (Okta, Google, Microsoft Azure, etc) that uses HTTP will be ignored, resulting in Spotfire Server failing to start with the following error in server.log:

WARN 2019-12-02T05:02:58,706+0000 [*Initialization*] auth.oidc.OidcAuthenticator: OpenID Connect provider 'spotfire' has a configured discovery document URL (http://discoverdocumenturl/.well-known/openid-configuration) that doesn't use HTTPS, this provider will be ignored
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: The application is about to be shut down.
INFO 2019-12-02T05:02:58,709+0000 [*Initialization*] spotfire.server.LifecycleManager: Shutting down TIBCO Spotfire Server. Uptime: 0 day(s), 0 hour(s), 0 minute(s), 0 second(s)
ERROR 2019-12-02T05:02:58,718+0000 [*Initialization*] web.context.ContextLoader: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'oidcAuthenticator' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.spotfire.server.security.auth.oidc.OidcAuthenticator]: Constructor threw exception; nested exception is com.spotfire.server.ServerInitializationException: At least one provider must be enabled to use OpenID Connect authentication

 

To resolve the issue, the value for Discovery Document URL for any of the OpenID providers must have HTTPS scheme and not HTTP. This is because OAuth 2.0 can only work with HTTPS and so, therefore, Spotfire Server also requires this by design.

OpenID Connect OAuth 2.0 outsources the necessary encryption to the Web’s built-in TLS (also called HTTPS or SSL) infrastructure, which is universally implemented on both client and server platforms. If in case the identity provider is using HTTP scheme, then you will need to configure HTTPS and import the same certificate into Spotfire Server keystore to make it trusted.

 

Documentation Reference: Configuring OpenID Connect

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/configuring_openid_connect.html

 

External: OpenID Connect: https://openid.net/connect/faq/

Related articles