question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Group Sync with Azure AD via graph.windows.net does not seem to work anymore.

See original GitHub issue

Current Behavior

Basic Information

  • We are using Azure AD as identity provider.
  • OIDC group sync does not work anymore for us.
  • If we disable group sync we can log in successfully.
  • Broken in 4.6.x, works in 4.5.x
  • We did not change Dependencytrack config, nor did we change our Azure AD app registration.

Configs

    - name: ALPINE_OIDC_ENABLED
       value: "true"
    - name: ALPINE_OIDC_CLIENT_ID
       value: <CLIENT_ID>
    - name: ALPINE_OIDC_ISSUER
      value: https://login.microsoftonline.com/<TENNANT_ID>/v2.0
    - name: ALPINE_OIDC_USERNAME_CLAIM
      value: preferred_username
    - name: ALPINE_OIDC_USER_PROVISIONING
      value: "true"
    - name: ALPINE_OIDC_TEAMS_CLAIM
       value: groups
    - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
      value: "true"

Claims + Logs

Logs:

2022-11-14 10:35:30,845 DEBUG [OidcConfigurationResolver] OIDC configuration loaded from cache
2022-11-14 10:35:30,845 DEBUG [OidcIdTokenAuthenticator] JWK set loaded from cache
2022-11-14 10:35:30,846 DEBUG [OidcIdTokenAuthenticator] ID token claims: {"sub":"<SUBJECT>","ver":"2.0","_claim_names":{"groups":"src1"},"aio":"<AIO>","roles":["admin"],"iss":"https:\/\/login.microsoftonline.com\/<TENANT_ID>\/v2.0","oid":"<USER_ID>","preferred_username":"Bree@example.com","uti":"<UTI>","tid":"<TENANT_ID>","aud":"<CLIENT_ID>","nbf":1668421830,"rh":"<RH>","wids":["<WID1>"],"_claim_sources":{"src1":{"endpoint":"https:\/\/graph.windows.net\/<TENANT_ID>\/users\/<USER_ID>\/getMemberObjects"}},"name":"Breesson, Bree","exp":1668425730,"iat":1668421830,"email":"Bree@example.com"}
2022-11-14 10:35:30,847 DEBUG [OidcAuthenticationService] ID token profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcUserInfoAuthenticator] UserInfo response: {"sub":"<SUBJECT>","name":"Breesson, Bree","given_name":"Julian","family_name":"Loeffler","picture":"https:\/\/graph.microsoft.com\/v1.0\/me\/photo\/$value","email":"Bree@example.com"}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] UserInfo profile: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] Merged profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,090 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}, UserInfo: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}, Merged: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'})
2022-11-14 10:35:31,090 INFO [UserResource] Unauthorized OpenID Connect login attempt / IP Address: xxxxxxxxxxxxxxx / User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Dependency track received ID token contains something similar to:

{
    "sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "ver": "2.0",
    "_claim_names": {
        "groups": "src1"
    },
    "aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "roles": [
        "admin"
    ],
    "iss": "https:\/\/login.microsoftonline.com\/xxxxxxxxxxxxxxxxxxxxxxxxx\/v2.0",
    "oid": "xxxxxxxxxxxxxxxxxxxxxxxx",
    "preferred_username": "Bree@example.com",
    "uti": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "tid": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "aud": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "nbf": 1668420930,
    "rh": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "wids": [
        "xxxxxxxxxxxxxxxxxxxxxxxxxx"
    ],
    "_claim_sources": {
        "src1": {
            "endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
        }
    },
    "name": "Breesson, Bree",
    "exp": 1668424830,
    "iat": 1668420930,
    "email": "Bree@example.com"
}

The interesting part here is

    "_claim_sources": {
        "src1": {
            "endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
        }
    },

I was not able to query this API endpoint myself successfully, so maybe something changed in the old graph.windows.net endpoint. Maybe you guys want to consider to migrate to graph.microsoft.com

Steps to Reproduce

  1. Create an Azure AD app registration
  2. Configure a groups claim for ID/Access tokens
  3. Configure DTrack to use the Azure AD app as OIDC client and activate group sync
  4. Login

Expected Behavior

groups are synced successfully

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

13.8

Browser

N/A

Checklist

Issue Analytics

  • State:open
  • Created 10 months ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
nscurocommented, Nov 18, 2022

In the current OIDC logic we don’t handle any non-standard cases. In order to resolve this issue with Azure AD, we’d need to have extra logic in the profile creation to fetch groups from the AAD API if we encounter _claim_names claims.

0reactions
Breeecommented, Nov 30, 2022

Would highly appreciate that, currently this is a massive blocker for us to push mass adoption of the tool within the company

Read more comments on GitHub >

github_iconTop Results From Across the Web

One or more objects don't sync when using the Azure Active ...
Describes an issue in which one or more AD DS object attributes don't sync to Azure AD through the Azure Active Directory Sync...
Read more >
Known issues with Microsoft Graph
This article describes known issues and limitations with Microsoft Graph and provides workarounds when possible.
Read more >
Azure AD Connect cloud sync troubleshooting - Microsoft Entra
On the server with the agent installed, open Services. Do this by going to Start > Run > Services.msc. · Under Services, make...
Read more >
Intermittent failure of Azure AD Connect directory ...
I have an installation of Azure AD Connect on an on-premises server that has been running error-free for several years.
Read more >
Troubleshoot an object that is not syncing with Azure Active ...
If an object is not syncing as expected with Microsoft Azure Active Directory (Azure AD), it can be because of several reasons.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found