question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OIDC issues with GCP

See original GitHub issue

Hi everyone !

I’m working on a deployment solution of Dependency Track for my company. I’m using the docker compose setup.

I’m currently stuck with the authentication. I want to use the OIDC feature to manage the users. But I’m facing an issue about how GCP answers to Dependency Track OIDC requests.

Current Behavior:

When I try to use OIDC to connect to Dependency Track, I get an error in the API container logs telling me that the OIDC profil isn’t complete. After a quick look, I see that I don’t get any group for my user. So I guess that Dependency Track can’t associate my user with a team. I’ll put the error logs and configuration details in the ‘Additional Details’ section.

Steps to Reproduce:

I configured the compose file accordingly to Dependency Track documentation. On the login form, I click the SSO button and connect to my GSuite account.

Expected Behavior:

I should be able to connect to Dependency Track with OIDC and get the permissions of the team I’m associated with.

Environment:

  • Dependency-Track Version: 4.4.2
  • Distribution: Docker
  • Database Server: PostgreSQL
  • Browser: Google Chrome

Additional Details:

Here is the error I get : 2022-04-21 08:09:17,261 ERROR [OidcAuthenticationService] Unable to assemble complete profile (ID token: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, UserInfo: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'}, Merged: OidcProfile{subject='*****************', username='**************@*********', groups=null, email='**************@*********'})

Here is the API Server config:

- ALPINE_OIDC_ENABLED=true
- ALPINE_OIDC_ISSUER=https://accounts.google.com
- ALPINE_OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- ALPINE_OIDC_USERNAME_CLAIM=email
- ALPINE_OIDC_TEAMS_CLAIM=groups
- ALPINE_OIDC_USER_PROVISIONING=true
- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true

Here is the Front Server config:

- OIDC_ISSUER=https://accounts.google.com
- OIDC_CLIENT_ID=*****************************.apps.googleusercontent.com
- OIDC_SCOPE=profile openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly
- OIDC_FLOW=implicit
- OIDC_LOGIN_BUTTON_TEXT=Google SSO

There is a lot of scopes because I thought I needed all of these to get a group. Apparently it’s useless since I need some admin permissions in order to use them.

As a workaround, I thought a default group for all OIDC users would to the trick. Is this possible to create such a group ?

Also, I use “https://accounts.google.com” as my OIDC Issuer. As I was looking for a solution, I saw that the issuer should be “https://accounts.google.com/o/oauth2/auth”. I already tried this but Dependency Track can’t request this issuer and returns a 404 error.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
AbdelHajoucommented, Apr 25, 2022

@nscuro You’re right, I’ll try to contribute some documentation on how to set up Azure AD

1reaction
AbdelHajoucommented, Apr 22, 2022

@Rokkart I don’t think that’s possible yet, but that sounds like a good enhancement idea. Maybe every user should just be added to a Default group to make it easier for admins to manage permissions for new users

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshoot OIDC in Anthos clusters on bare metal
When OIDC is not working for Anthos clusters on bare metal, typically the OIDC specification within the cluster config file has been improperly...
Read more >
Configure OpenID Connect with GCP Workload Identity ...
Review this reference project for provisioning OIDC in GCP using Terraform and a sample script to retrieve temporary credentials. Troubleshooting. When ...
Read more >
OpenID Connect | Authentication - Google Developers
Advanced topics. The following sections describe the Google OAuth 2.0 API in greater detail. This information is intended for developers with ...
Read more >
Configuring GCP as an OIDC Identity Provider - VMware Docs
Follow steps 1–6 in Add an OIDC Provider. · Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from...
Read more >
GCP oidc issue with Keycloak as identity provider - malformed ...
I'm testing GCP Identity Platform with Keycloak as identity provider. I'm using OIDC protocol. From the web app, I am redirected to keycloak ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found