Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic OIDC group scope is not sent in the request formed by the UI #12477

Closed
gaktive opened this issue Nov 1, 2024 · 10 comments · Fixed by #13514
Closed

Generic OIDC group scope is not sent in the request formed by the UI #12477

gaktive opened this issue Nov 1, 2024 · 10 comments · Fixed by #13514
Assignees
@cnotv @IsaSih
Labels
area/authentication JIRA kind/bug priority/1 QA/manual-test Indicates issue requires manually testing size/3 Size Estimate 3 status/backport-candidate
Milestone
v2.11.0

Comments

@gaktive
Copy link
Member

gaktive commented Nov 1, 2024
edited
Loading

Internal reference: SURE-9143
Reported in 2.9.2

Issue description:
Despite adding the "groups" scope in the OIDC config, the request that is generated is not including the "groups" scope.

Repro steps:
OIDC configured and checked the generated request.

Workaround:
None

Actual behavior:
The request does not contain the group scope despite being configured.

Expected behavior:
Expect the generated request to contain the group scope.

@mantis-toboggan-md was able to reproduce this issue and confirm it is a UI bug:

The UI ignores configured scopes and always uses the values configured here https://github.com/rancher/dashboard/blob/master/shell/store/auth.js#L16. Likely, we need to update the redirectTo method in that file to fetch the genericoidc authconfig object and use its scope field to construct the redirect url, instead of that list of defaults.
@gaktive gaktive added this to the v2.11.0 milestone Nov 1, 2024
@github-actions github-actions bot added the QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this label Nov 1, 2024
@mantis-toboggan-md mantis-toboggan-md added QA/manual-test Indicates issue requires manually testing and removed QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this labels Nov 1, 2024
@gaktive
Copy link
Member Author

gaktive commented Nov 12, 2024

/backport v2.10.1

@github-actions github-actions bot mentioned this issue Nov 12, 2024
Closed
@gaktive gaktive added the size/3 Size Estimate 3 label Dec 18, 2024
@jplindquist jplindquist mentioned this issue Jan 24, 2025
Open
@cnotv cnotv self-assigned this Jan 28, 2025
@cnotv
Copy link
Member

cnotv commented Jan 31, 2025

@mantis-toboggan-md I see no mention of groups whatsoever in the whole store or auth util, is it missing or?

@cnotv
Copy link
Member

cnotv commented Jan 31, 2025
edited
Loading

Thanks @mantis-toboggan-md for clarifying in chat.
For the records, we talk about the scopes on this page to not be honored when generating a redirect URL:

Image

@raulcabello raulcabello mentioned this issue Feb 5, 2025
Closed
@cnotv cnotv mentioned this issue Feb 6, 2025
Closed
2 tasks
@cnotv
Copy link
Member

cnotv commented Feb 7, 2025
edited
Loading

Just for the record, we will write a lot of unit tests for this process, as there are none, given that it's an old code.
This seems to cover:

  • View
  • State, several parts
  • Shared logic (mixin)

@cnotv
Copy link
Member

cnotv commented Feb 12, 2025

Pushing to v2.12.0 as I have to prioritize SCC

@cnotv cnotv modified the milestones: v2.11.0, v2.12.0 Feb 12, 2025
@cnotv cnotv mentioned this issue Feb 14, 2025
Open
@cnotv cnotv modified the milestones: v2.12.0, v2.11.0 Feb 14, 2025
@cnotv
Copy link
Member

cnotv commented Feb 14, 2025

@gaktive looks like we have still time for the remaining development of SCC. Also I've finally identified the issue with the help of @mantis-toboggan-md

Setting back milestone to 2.11.0.

This was referenced Feb 14, 2025
Closed
Closed
Open
@cnotv
Copy link
Member

cnotv commented Feb 21, 2025
edited
Loading

After finally managing to add scopes to the URL, it seems some kind of validation is preventing us to achieve the requirements.

Image

Query parameters with default scopes: scope=openid%20profile%20email
Query parameters with scopes from UI: scope=openid%20profile%20email%20group

Need to investigate this new issue.
The origin of this validation is unclear, as in the network all the requests have status 200.

@cnotv
Copy link
Member

cnotv commented Feb 26, 2025

For the record: Scopes must also be added to the clientID group configuration or that error is returned from the redirect authentication.

@cnotv cnotv mentioned this issue Feb 26, 2025
Merged
7 tasks
@IsaSih IsaSih self-assigned this Mar 4, 2025
@cnotv
Copy link
Member

cnotv commented Mar 11, 2025

/backport v2.9.8

@github-actions github-actions bot mentioned this issue Mar 11, 2025
Open
@IsaSih
Copy link
Contributor

IsaSih commented Mar 13, 2025

Validated in
Rancher | v2.11-94853c35bd1e02cf8aa114be4016bc3699288c6a-head
Dashboard | master 9b894b4
Rancher CLI | v2.11.0-rc.1

The formed URL from Rancher to the Auth Provider includes all of the scopes

@IsaSih IsaSih closed this as completed Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnotv cnotv

@IsaSih IsaSih

Labels
area/authentication JIRA kind/bug priority/1 QA/manual-test Indicates issue requires manually testing size/3 Size Estimate 3 status/backport-candidate
Projects
None yet
Milestone
v2.11.0
4 participants
@cnotv @gaktive @mantis-toboggan-md @IsaSih