search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.43k stars 529 forks source link

Can't get teams synchronized/OIDC groups added with GitLab OIDC #3850

Closed veselov closed 2 weeks ago

veselov commented 2 weeks ago

Current Behavior

  1. User logs in through OIDC
  2. UI displays a stack of 403s,
  3. Logging in through built-in admin shows no teams from group list, no "OpenID Connect Groups". "OpenID" Connect User does appear (after first GitLab login).
  4. Creating a team matching a Gitlab group name, with permissions, also shows 403s at step 2 for a GitLab user that's in that group.

Backend shows just this:

dtrack-apiserver-1  | 2024-06-14 17:29:50,741 INFO [UserResource] Successful OpenID Connect login / username: pawel / IP Address: 172.18.0.1 / User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

I'm not sure whether I'm missing something (and it does honestly feel like I am), but at this point I've exhausted my search capacity to find what that might be.

Steps to Reproduce

So far, reading docs available at https://docs.dependencytrack.org/getting-started/openidconnect-configuration/#gitlab-gitlabcom, I've set up:

      - ALPINE_OIDC_ENABLED=true
      - ALPINE_OIDC_ISSUER=https://xxx
      - ALPINE_OIDC_CLIENT_ID=xxx
      - ALPINE_OIDC_USERNAME_CLAIM=preferred_username
      - ALPINE_OIDC_TEAMS_CLAIM=groups_direct
      - ALPINE_OIDC_USER_PROVISIONING=true
      - ALPINE_OIDC_TEAM_SYNCHRONIZATION=true

GitLab application configuration has:

The JWx that DT sends to GitLab for logging in:

{
  "iss": "https://gitlab",
  "sub": "15",
  "aud": "xxx",
  "exp": 1718381525,
  "iat": 1718381405,
  "auth_time": 1717682667,
  "sub_legacy": "some-hex-code",
  "name": "Pawel Veselov",
  "nickname": "pawel",
  "preferred_username": "pawel",
  "email": "pawel.veselov@",
  "email_verified": true,
  "profile": "https://gitlab.../pawel",
  "groups_direct": [ "g1","g2", ...  ]
}

I didn't see a groups claim here, so I set ALPINE_OIDC_TEAMS_CLAIM to groups_direct. The login response from GitLab:

{"sub":"pawel","iss":"Dependency-Track","iat":1718381406,"exp":1718986206,"permissions":"","idp":"OPENID_CONNECT"}

And config.json (as seen by the browser):

{
  "API_BASE_URL": "https://dtrack",
  "API_WITH_CREDENTIALS": null,
  "OIDC_ISSUER": "https://gitlab",
  "OIDC_CLIENT_ID": "xxx",
  "OIDC_SCOPE": "openid profile email",
  "OIDC_FLOW": null,
  "OIDC_LOGIN_BUTTON_TEXT": null
}

Expected Behavior

After attempted GitLab login, even though there are no available permissions, the groups from GitLab are synchronized with DT teams. If not, then at least if there is a matching group, access should be granted.

Dependency-Track Version

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

valentijnscholten commented 2 weeks ago

I believe if you set the log level to DEBUG, you'll see more info about how DT is reconciling the OIDC tokens, groups, etc.

veselov commented 2 weeks ago

Manually adding the a group (that a GitLab user is a member of) to "OIDC connected group", mapping it to a team, and assigning permissions work.

I was under the impression that at least the "OIDC Connected Group" table should be populated automatically...

veselov commented 2 weeks ago

I believe if you set the log level to DEBUG, you'll see more info about how DT is reconciling the OIDC tokens, groups, etc.

Yeah, that does print out a bunch of Unknown OpenID Connect group XXX messages for all groups that are not manually added to that list.

valentijnscholten commented 2 weeks ago

Might be a good thing if you have 10k+ AD groups like I do 🤓

nscuro commented 2 weeks ago

It's indeed intentional that admins should make a conscious decision as to what groups they want to accept into DT.

Am I following this thread correctly in that the issue has been resolved?

veselov commented 2 weeks ago

Yes, it's totally my fault, as I failed to read this specific part: https://docs.dependencytrack.org/getting-started/openidconnect-configuration/#how-openid-connect-claims-are-mapped.

Also, I didn't need to use groups_direct claim. It's true that the claim doesn't show up in the "ID token", but DT apparently makes a userinfo request to OIDC, and gets the groups from the response (https://docs.gitlab.com/ee/integration/openid_connect_provider.html).

Thank you, everybody, and apologies for unnecessary commotion.

nscuro commented 2 weeks ago

No worries, it could just as well have been a bug. Please let us know when you run into other issues!