[PLAT-16052]Fix SSO login and improve logging for easier debugging

Summary: The JWT library was updated with commit D39576. The newer version had breaking changes due to which SSO login on no longer works on master. Revert the change and improve logging for easier debugging. Test Plan: Manually verified that SSO was breaking on master and works after the revert. Reviewers: svarshney Reviewed By: svarshney Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D39825
yugabyte · Nov 8, 2024 · 6b28bfd · 6b28bfd
1 parent fa6ff5b
commit 6b28bfd
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/managed/build.sbt b/managed/build.sbt
@@ -219,7 +219,7 @@ libraryDependencies ++= Seq(
   "org.projectlombok" % "lombok" % "1.18.26",
   "com.squareup.okhttp3" % "okhttp" % "4.12.0",
   "com.fasterxml.jackson.dataformat" % "jackson-dataformat-xml" % "2.17.2",
-  "com.nimbusds" % "nimbus-jose-jwt" % "9.37.2",
+  "com.nimbusds" % "nimbus-jose-jwt" % "7.9",
   "io.kamon" %% "kamon-bundle" % "2.5.9",
   "io.kamon" %% "kamon-prometheus" % "2.5.9",
   "org.unix4j" % "unix4j-command" % "0.6",

diff --git a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java
@@ -128,6 +128,7 @@ public Users findUserByEmailOrCreateNewUser(Request request, String email) {
       user.setRole(userRole);
       user.setUserType(UserType.oidc);
     } else {
+      log.info("Adding new user with email: " + email);
       user = Users.create(email, getRandomPassword(), userRole, custUUID, false, UserType.oidc);
     }
 
@@ -154,6 +155,7 @@ private Set<UUID> getRolesFromGroupMemberships(
       OidcProfile profile = (OidcProfile) getProfile(request);
       JWT idToken = profile.getIdToken();
       List<String> groups;
+      String groupsClaim = confGetter.getGlobalConf(GlobalConfKeys.oidcGroupClaim);
 
       // If the IdP is Azure we need to fetch groups from Microsoft endpoint since group names are
       // not returned in ID token
@@ -163,13 +165,16 @@ private Set<UUID> getRolesFromGroupMemberships(
                 idToken.getJWTClaimsSet().getStringClaim("oid"),
                 profile.getAccessToken().toAuthorizationHeader());
       } else {
-        groups =
-            idToken
-                .getJWTClaimsSet()
-                .getStringListClaim(confGetter.getGlobalConf(GlobalConfKeys.oidcGroupClaim));
+        groups = idToken.getJWTClaimsSet().getStringListClaim(groupsClaim);
       }
       // return if groups claim not found in token
-      if (groups == null) {
+      if (groups == null || groups.isEmpty()) {
+        String msg =
+            String.format(
+                "Failed to fetch groups from ID token for user: %s. Please make sure field %s is"
+                    + " present in the ID token. User will be assigned the default role.",
+                getEmailFromCtx(request), groupsClaim);
+        log.warn(msg);
         return roles;
       }
       log.info("List of user's groups = {}", groups.toString());
@@ -207,6 +212,7 @@ private boolean isIdpAzure(String issuer) {
    * @return The list of group names.
    */
   private List<String> getMsGroupsList(String userID, String authHeader) {
+    log.info("Trying to fetch group memberships from Microsoft endpoint.");
     String url = String.format(MS_MEMBEROF_API, userID);
     Map<String, String> headers = new HashMap<>();
     headers.put("Authorization", authHeader);