Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Group Sync with Azure AD via graph.windows.net does not seem to work anymore.

See original GitHub issue

Current Behavior

Basic Information

We are using Azure AD as identity provider.
OIDC group sync does not work anymore for us.
If we disable group sync we can log in successfully.
Broken in 4.6.x, works in 4.5.x
We did not change Dependencytrack config, nor did we change our Azure AD app registration.

Configs

    - name: ALPINE_OIDC_ENABLED
       value: "true"
    - name: ALPINE_OIDC_CLIENT_ID
       value: <CLIENT_ID>
    - name: ALPINE_OIDC_ISSUER
      value: https://login.microsoftonline.com/<TENNANT_ID>/v2.0
    - name: ALPINE_OIDC_USERNAME_CLAIM
      value: preferred_username
    - name: ALPINE_OIDC_USER_PROVISIONING
      value: "true"
    - name: ALPINE_OIDC_TEAMS_CLAIM
       value: groups
    - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
      value: "true"

Claims + Logs

Logs:

2022-11-14 10:35:30,845 DEBUG [OidcConfigurationResolver] OIDC configuration loaded from cache
2022-11-14 10:35:30,845 DEBUG [OidcIdTokenAuthenticator] JWK set loaded from cache
2022-11-14 10:35:30,846 DEBUG [OidcIdTokenAuthenticator] ID token claims: {"sub":"<SUBJECT>","ver":"2.0","_claim_names":{"groups":"src1"},"aio":"<AIO>","roles":["admin"],"iss":"https:\/\/login.microsoftonline.com\/<TENANT_ID>\/v2.0","oid":"<USER_ID>","preferred_username":"Bree@example.com","uti":"<UTI>","tid":"<TENANT_ID>","aud":"<CLIENT_ID>","nbf":1668421830,"rh":"<RH>","wids":["<WID1>"],"_claim_sources":{"src1":{"endpoint":"https:\/\/graph.windows.net\/<TENANT_ID>\/users\/<USER_ID>\/getMemberObjects"}},"name":"Breesson, Bree","exp":1668425730,"iat":1668421830,"email":"Bree@example.com"}
2022-11-14 10:35:30,847 DEBUG [OidcAuthenticationService] ID token profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcUserInfoAuthenticator] UserInfo response: {"sub":"<SUBJECT>","name":"Breesson, Bree","given_name":"Julian","family_name":"Loeffler","picture":"https:\/\/graph.microsoft.com\/v1.0\/me\/photo\/$value","email":"Bree@example.com"}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] UserInfo profile: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,089 DEBUG [OidcAuthenticationService] Merged profile: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}
2022-11-14 10:35:31,090 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'}, UserInfo: OidcProfile{subject='<SUBJECT>', username='null', groups=null, email='Bree@example.com'}, Merged: OidcProfile{subject='<SUBJECT>', username='Bree@example.com', groups=null, email='Bree@example.com'})
2022-11-14 10:35:31,090 INFO [UserResource] Unauthorized OpenID Connect login attempt / IP Address: xxxxxxxxxxxxxxx / User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

Dependency track received ID token contains something similar to:

{
    "sub": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "ver": "2.0",
    "_claim_names": {
        "groups": "src1"
    },
    "aio": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "roles": [
        "admin"
    ],
    "iss": "https:\/\/login.microsoftonline.com\/xxxxxxxxxxxxxxxxxxxxxxxxx\/v2.0",
    "oid": "xxxxxxxxxxxxxxxxxxxxxxxx",
    "preferred_username": "Bree@example.com",
    "uti": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "tid": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "aud": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "nbf": 1668420930,
    "rh": "xxxxxxxxxxxxxxxxxxxxxxxxx",
    "wids": [
        "xxxxxxxxxxxxxxxxxxxxxxxxxx"
    ],
    "_claim_sources": {
        "src1": {
            "endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
        }
    },
    "name": "Breesson, Bree",
    "exp": 1668424830,
    "iat": 1668420930,
    "email": "Bree@example.com"
}

The interesting part here is

    "_claim_sources": {
        "src1": {
            "endpoint": "https:\/\/graph.windows.net\/xxxxxxxxxx\/users\/xxxxxxxxxxxx\/getMemberObjects"
        }
    },

I was not able to query this API endpoint myself successfully, so maybe something changed in the old graph.windows.net endpoint. Maybe you guys want to consider to migrate to graph.microsoft.com

Steps to Reproduce

Create an Azure AD app registration
Configure a groups claim for ID/Access tokens
Configure DTrack to use the Azure AD app as OIDC client and activate group sync
Login

Expected Behavior

groups are synced successfully

Dependency-Track Version

4.6.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

13.8

Browser

N/A

Checklist

I have read and understand the contributing guidelines
I have checked the existing issues for whether this defect was already reported

Issue Analytics

State:
Created 10 months ago
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

nscurocommented, Nov 18, 2022

In the current OIDC logic we don’t handle any non-standard cases. In order to resolve this issue with Azure AD, we’d need to have extra logic in the profile creation to fetch groups from the AAD API if we encounter _claim_names claims.

0reactions

Breeecommented, Nov 30, 2022

Would highly appreciate that, currently this is a massive blocker for us to push mass adoption of the tool within the company