Group Sync with Azure AD via graph.windows.net does not seem to work anymore.
See original GitHub issueCurrent Behavior
Basic Information
- We are using Azure AD as identity provider.
- OIDC group sync does not work anymore for us.
- If we disable group sync we can log in successfully.
- Broken in 4.6.x, works in 4.5.x
- We did not change Dependencytrack config, nor did we change our Azure AD app registration.
Configs
- name: ALPINE_OIDC_ENABLED
value: "true"
- name: ALPINE_OIDC_CLIENT_ID
value: <CLIENT_ID>
- name: ALPINE_OIDC_ISSUER
value: https://login.microsoftonline.com/<TENNANT_ID>/v2.0
- name: ALPINE_OIDC_USERNAME_CLAIM
value: preferred_username
- name: ALPINE_OIDC_USER_PROVISIONING
value: "true"
- name: ALPINE_OIDC_TEAMS_CLAIM
value: groups
- name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
value: "true"
Claims + Logs
Logs:
2022-11-14 10:35:30,845 DEBUG [OidcConfigurationResolver] OIDC configuration loaded from cache
2022-11-14 10:35:30,845 DEBUG [OidcIdTokenAuthenticator] JWK set loaded from cache
2022-11-14 10:35:30,846 DEBUG [OidcIdTokenAuthenticator] ID token claims: {"sub":"<SUBJECT>","ver":"2.0","_claim_names":{"groups":"src1"},"aio":"<AIO>","roles":["admin"],"iss":"https:\/\/login.microsoftonline.com\/<TENANT_ID>\/v2.0","oid":"<USER_ID>","preferred_username":"Bree@example.com","uti":"<UTI>","tid":"<TENANT_ID>","aud":"<CLIENT_ID>","nbf":1668421830,"rh":"<RH>","wids":["<WID1>"],"_claim_sources":{"src1":{"endpoint":"https:\/\/graph.windows.net\/<TENANT_ID>\/users\/<USER_ID>\/getMemberObjects"}},"name":"Breesson, Bree","exp":1668425730,"iat":1668421830,"email":"Bree@example.com"}
2022-11-14 10:35:30,847 DEBUG [OidcAuthenticationService] ID token profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcUserInfoAuthenticator] UserInfo response: {"sub":"<SUBJECT>","name":"Breesson, Bree","given_name":"Julian","family_name":"Loeffler","picture":"https:\/\/graph.microsoft.com\/v1.0\/me\/photo\/$value","email":"Bree@example.com"}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] UserInfo profile: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] Merged profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,090 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}, UserInfo: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}, Merged: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'})
2022-11-14 10:35:31,090 INFO [UserResource] Unauthorized OpenID Connect login attempt / IP Address: xxxxxxxxxxxxxxx / User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Dependency track received ID token contains something similar to:
{
"sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"ver": "2.0",
"_claim_names": {
"groups": "src1"
},
"aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"roles": [
"admin"
],
"iss": "https:\/\/login.microsoftonline.com\/xxxxxxxxxxxxxxxxxxxxxxxxx\/v2.0",
"oid": "xxxxxxxxxxxxxxxxxxxxxxxx",
"preferred_username": "Bree@example.com",
"uti": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"aud": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"nbf": 1668420930,
"rh": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"wids": [
"xxxxxxxxxxxxxxxxxxxxxxxxxx"
],
"_claim_sources": {
"src1": {
"endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
}
},
"name": "Breesson, Bree",
"exp": 1668424830,
"iat": 1668420930,
"email": "Bree@example.com"
}
The interesting part here is
"_claim_sources": {
"src1": {
"endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
}
},
I was not able to query this API endpoint myself successfully, so maybe something changed in the old graph.windows.net endpoint. Maybe you guys want to consider to migrate to graph.microsoft.com
Steps to Reproduce
- Create an Azure AD app registration
- Configure a groups claim for ID/Access tokens
- Configure DTrack to use the Azure AD app as OIDC client and activate group sync
- Login
Expected Behavior
groups are synced successfully
Dependency-Track Version
4.6.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
13.8
Browser
N/A
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported
Issue Analytics
- State:
- Created 10 months ago
- Comments:8 (3 by maintainers)
Top Results From Across the Web
One or more objects don't sync when using the Azure Active ...
Describes an issue in which one or more AD DS object attributes don't sync to Azure AD through the Azure Active Directory Sync...
Read more >Known issues with Microsoft Graph
This article describes known issues and limitations with Microsoft Graph and provides workarounds when possible.
Read more >Azure AD Connect cloud sync troubleshooting - Microsoft Entra
On the server with the agent installed, open Services. Do this by going to Start > Run > Services.msc. · Under Services, make...
Read more >Intermittent failure of Azure AD Connect directory ...
I have an installation of Azure AD Connect on an on-premises server that has been running error-free for several years.
Read more >Troubleshoot an object that is not syncing with Azure Active ...
If an object is not syncing as expected with Microsoft Azure Active Directory (Azure AD), it can be because of several reasons.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
In the current OIDC logic we don’t handle any non-standard cases. In order to resolve this issue with Azure AD, we’d need to have extra logic in the profile creation to fetch groups from the AAD API if we encounter
_claim_names
claims.Would highly appreciate that, currently this is a massive blocker for us to push mass adoption of the tool within the company