OIDC issues with GCP
See original GitHub issueHi everyone !
I’m working on a deployment solution of Dependency Track for my company. I’m using the docker compose setup.
I’m currently stuck with the authentication. I want to use the OIDC feature to manage the users. But I’m facing an issue about how GCP answers to Dependency Track OIDC requests.
Current Behavior:
When I try to use OIDC to connect to Dependency Track, I get an error in the API container logs telling me that the OIDC profil isn’t complete. After a quick look, I see that I don’t get any group for my user. So I guess that Dependency Track can’t associate my user with a team. I’ll put the error logs and configuration details in the ‘Additional Details’ section.
Steps to Reproduce:
I configured the compose file accordingly to Dependency Track documentation. On the login form, I click the SSO button and connect to my GSuite account.
Expected Behavior:
I should be able to connect to Dependency Track with OIDC and get the permissions of the team I’m associated with.
Environment:
- Dependency-Track Version: 4.4.2
- Distribution: Docker
- Database Server: PostgreSQL
- Browser: Google Chrome
Additional Details:
Here is the error I get :
2022-04-21 08:09:17,261 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, UserInfo: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, Merged: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'})
Here is the API Server config:
- ALPINE_OIDC_ENABLED=true
- ALPINE_OIDC_ISSUER=https://accounts.google.com
- ALPINE_OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- ALPINE_OIDC_USERNAME_CLAIM=email
- ALPINE_OIDC_TEAMS_CLAIM=groups
- ALPINE_OIDC_USER_PROVISIONING=true
- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true
Here is the Front Server config:
- OIDC_ISSUER=https://accounts.google.com
- OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- OIDC_SCOPE=profile openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly
- OIDC_FLOW=implicit
- OIDC_LOGIN_BUTTON_TEXT=Google SSO
There is a lot of scopes because I thought I needed all of these to get a group. Apparently it’s useless since I need some admin permissions in order to use them.
As a workaround, I thought a default group for all OIDC users would to the trick. Is this possible to create such a group ?
Also, I use “https://accounts.google.com” as my OIDC Issuer. As I was looking for a solution, I saw that the issuer should be “https://accounts.google.com/o/oauth2/auth”. I already tried this but Dependency Track can’t request this issuer and returns a 404 error.
Issue Analytics
- State:
- Created a year ago
- Comments:8 (6 by maintainers)
Top GitHub Comments
@nscuro You’re right, I’ll try to contribute some documentation on how to set up Azure AD
@Rokkart I don’t think that’s possible yet, but that sounds like a good enhancement idea. Maybe every user should just be added to a Default group to make it easier for admins to manage permissions for new users