From 6b28bfd074fd05a61a04afc5ae91124d3b72b6cb Mon Sep 17 00:00:00 2001 From: Ayush Sharma Date: Fri, 8 Nov 2024 05:53:04 +0000 Subject: [PATCH] [PLAT-16052]Fix SSO login and improve logging for easier debugging Summary: The JWT library was updated with commit D39576. The newer version had breaking changes due to which SSO login on no longer works on master. Revert the change and improve logging for easier debugging. Test Plan: Manually verified that SSO was breaking on master and works after the revert. Reviewers: svarshney Reviewed By: svarshney Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D39825 --- managed/build.sbt | 2 +- .../handlers/ThirdPartyLoginHandler.java | 16 +++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/managed/build.sbt b/managed/build.sbt index e30b2b59d256..00e4574e800b 100644 --- a/managed/build.sbt +++ b/managed/build.sbt @@ -219,7 +219,7 @@ libraryDependencies ++= Seq( "org.projectlombok" % "lombok" % "1.18.26", "com.squareup.okhttp3" % "okhttp" % "4.12.0", "com.fasterxml.jackson.dataformat" % "jackson-dataformat-xml" % "2.17.2", - "com.nimbusds" % "nimbus-jose-jwt" % "9.37.2", + "com.nimbusds" % "nimbus-jose-jwt" % "7.9", "io.kamon" %% "kamon-bundle" % "2.5.9", "io.kamon" %% "kamon-prometheus" % "2.5.9", "org.unix4j" % "unix4j-command" % "0.6", diff --git a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java index e8055a3bfa11..303922290087 100644 --- a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java +++ b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/ThirdPartyLoginHandler.java @@ -128,6 +128,7 @@ public Users findUserByEmailOrCreateNewUser(Request request, String email) { user.setRole(userRole); user.setUserType(UserType.oidc); } else { + log.info("Adding new user with email: " + email); user = Users.create(email, getRandomPassword(), userRole, custUUID, false, UserType.oidc); } @@ -154,6 +155,7 @@ private Set getRolesFromGroupMemberships( OidcProfile profile = (OidcProfile) getProfile(request); JWT idToken = profile.getIdToken(); List groups; + String groupsClaim = confGetter.getGlobalConf(GlobalConfKeys.oidcGroupClaim); // If the IdP is Azure we need to fetch groups from Microsoft endpoint since group names are // not returned in ID token @@ -163,13 +165,16 @@ private Set getRolesFromGroupMemberships( idToken.getJWTClaimsSet().getStringClaim("oid"), profile.getAccessToken().toAuthorizationHeader()); } else { - groups = - idToken - .getJWTClaimsSet() - .getStringListClaim(confGetter.getGlobalConf(GlobalConfKeys.oidcGroupClaim)); + groups = idToken.getJWTClaimsSet().getStringListClaim(groupsClaim); } // return if groups claim not found in token - if (groups == null) { + if (groups == null || groups.isEmpty()) { + String msg = + String.format( + "Failed to fetch groups from ID token for user: %s. Please make sure field %s is" + + " present in the ID token. User will be assigned the default role.", + getEmailFromCtx(request), groupsClaim); + log.warn(msg); return roles; } log.info("List of user's groups = {}", groups.toString()); @@ -207,6 +212,7 @@ private boolean isIdpAzure(String issuer) { * @return The list of group names. */ private List getMsGroupsList(String userID, String authHeader) { + log.info("Trying to fetch group memberships from Microsoft endpoint."); String url = String.format(MS_MEMBEROF_API, userID); Map headers = new HashMap<>(); headers.put("Authorization", authHeader);