Uploaded image for project: 'OpenId Connect'
  1. OpenId Connect
  2. OIDC-176

Allowed Group doesn't work when no value is sent back for the groups claim

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.8.4
    • 2.8.3
    • Authenticator
    • None
    • Unknown

    Description

      also on https://forum.xwiki.org/t/oidc-allowed-groups-prefix/14419/8?u=schnutz

      It looks like the “allowed group” is only working, when at least one group is sent (based on the prefix, if set).

      I’ve invited a guest user in our tenant, but this user has no xwiki-relevant group. And this user can login and doesn’t get the error “it’s not a member of the following group”.
      Maybe the “lookup” on the empty group-set doesn’t work for allowed-groups.

      This is the part of the logs:

      DEBUG o.x.c.o.a.i.OIDCUserManager    - Getting groups sent by the provider associated with claim [groups]
      DEBUG o.x.c.o.a.i.OIDCUserManager    - Groups claim not found in userInfo token. Trying idToken
      DEBUG o.x.c.o.a.i.OIDCUserManager    - The provider did not sent any group
      DEBUG o.x.c.o.a.i.OIDCUserManager    - Checking allowed groups
      WARN  o.x.c.o.a.i.OIDCUserManager    - Failed to get user avatar from URL [https://graph.microsoft.com/v1.0/me/photo/$value]: IOException: Server returned HTTP response code: 401 for URL: https://graph.microsoft.com/v1.0/me/photo/$value
      DEBUG o.x.c.o.a.i.OIDCUserManager    - Updating XWiki claims

      Only “checking allowed groups” and that’s it.

       

       

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            schnutz Gerd Schnoetzinger
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: