Details
-
Bug
-
Resolution: Fixed
-
Critical
-
2.8.3
-
None
-
Unknown
-
Description
also on https://forum.xwiki.org/t/oidc-allowed-groups-prefix/14419/8?u=schnutz
It looks like the “allowed group” is only working, when at least one group is sent (based on the prefix, if set).
I’ve invited a guest user in our tenant, but this user has no xwiki-relevant group. And this user can login and doesn’t get the error “it’s not a member of the following group”.
Maybe the “lookup” on the empty group-set doesn’t work for allowed-groups.
This is the part of the logs:
DEBUG o.x.c.o.a.i.OIDCUserManager - Getting groups sent by the provider associated with claim [groups] DEBUG o.x.c.o.a.i.OIDCUserManager - Groups claim not found in userInfo token. Trying idToken DEBUG o.x.c.o.a.i.OIDCUserManager - The provider did not sent any group DEBUG o.x.c.o.a.i.OIDCUserManager - Checking allowed groups WARN o.x.c.o.a.i.OIDCUserManager - Failed to get user avatar from URL [https://graph.microsoft.com/v1.0/me/photo/$value]: IOException: Server returned HTTP response code: 401 for URL: https://graph.microsoft.com/v1.0/me/photo/$value DEBUG o.x.c.o.a.i.OIDCUserManager - Updating XWiki claims
Only “checking allowed groups” and that’s it.