Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OIDC issues with GCP
See original GitHub issueHi everyone !
I’m working on a deployment solution of Dependency Track for my company. I’m using the docker compose setup.
I’m currently stuck with the authentication. I want to use the OIDC feature to manage the users. But I’m facing an issue about how GCP answers to Dependency Track OIDC requests.
Current Behavior:
When I try to use OIDC to connect to Dependency Track, I get an error in the API container logs telling me that the OIDC profil isn’t complete. After a quick look, I see that I don’t get any group for my user. So I guess that Dependency Track can’t associate my user with a team. I’ll put the error logs and configuration details in the ‘Additional Details’ section.
Steps to Reproduce:
I configured the compose file accordingly to Dependency Track documentation. On the login form, I click the SSO button and connect to my GSuite account.
Expected Behavior:
I should be able to connect to Dependency Track with OIDC and get the permissions of the team I’m associated with.
Environment:
- Dependency-Track Version: 4.4.2
- Distribution: Docker
- Database Server: PostgreSQL
- Browser: Google Chrome
Additional Details:
Here is the error I get :
2022-04-21 08:09:17,261 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, UserInfo: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, Merged: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'})
Here is the API Server config:
- ALPINE_OIDC_ENABLED=true
- ALPINE_OIDC_ISSUER=https://accounts.google.com
- ALPINE_OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- ALPINE_OIDC_USERNAME_CLAIM=email
- ALPINE_OIDC_TEAMS_CLAIM=groups
- ALPINE_OIDC_USER_PROVISIONING=true
- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true
Here is the Front Server config:
- OIDC_ISSUER=https://accounts.google.com
- OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- OIDC_SCOPE=profile openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly
- OIDC_FLOW=implicit
- OIDC_LOGIN_BUTTON_TEXT=Google SSO
There is a lot of scopes because I thought I needed all of these to get a group. Apparently it’s useless since I need some admin permissions in order to use them.
As a workaround, I thought a default group for all OIDC users would to the trick. Is this possible to create such a group ?
Also, I use “https://accounts.google.com” as my OIDC Issuer. As I was looking for a solution, I saw that the issuer should be “https://accounts.google.com/o/oauth2/auth”. I already tried this but Dependency Track can’t request this issuer and returns a 404 error.
Issue Analytics
- State:
- Created a year ago
- Comments:8 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@nscuro You’re right, I’ll try to contribute some documentation on how to set up Azure AD
@Rokkart I don’t think that’s possible yet, but that sounds like a good enhancement idea. Maybe every user should just be added to a Default group to make it easier for admins to manage permissions for new users