search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.32k stars 932 forks source link

OpenIDConnectStrategy ERROR for user with more than 15 groups #4924

Closed Tonnulus closed 8 months ago

Tonnulus commented 11 months ago

Description

Users belonging to more than 15 groups that try to connect to OpenCTI with OpenIDConnectStrategy are redirected to the same login page with the Cookie opencti_flash : Invalid%20authentication%2C%20please%20ask%20your%20administrator without error on the browser. On OpenCTI node logs (with info and debug mode) :

{"category":"APP","level":"error","message":"Error login through provider oic","timestamp":"2023-11-07T09:38:17.710Z","version":"5.11.12"}

Environment

  1. OpenCTI 5.11.12 On Debian with docker
  2. Keycloak 18.0.2 3.Client : Chrome, Firefox

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Configure OpenIDConnectStrategy
  2. Create a user who can connect to OpenCTI
  3. Add user in 15 groups
  4. This same user will no longer be able to log in unless you remove some groups

Expected Output

Login

Actual Output

image

Additional information

Logs are needed to effectively debug this type of problem. 

  PROVIDERS__LOCAL__STRATEGY: LocalStrategy
  PROVIDERS__OPENID__STRATEGY: OpenIDConnectStrategy
  PROVIDERS__OPENID__CONFIG__LABEL: "Login with Keycloak"
  PROVIDERS__OPENID__CONFIG__ISSUER: https://auth.lan.com/auth/realms/main
  PROVIDERS__OPENID__CONFIG__CLIENT_ID: oidc-opencti-prd
  PROVIDERS__OPENID__CONFIG__CLIENT_SECRET: ${OPENCTI_OPENID_CLIENT_SECRET}
  PROVIDERS__OPENID__CONFIG__REDIRECT_URIS: '["https://opencti/auth/oic/callback"]'
  PROVIDERS__OPENID__CONFIG__AUTO_CREATE_GROUP: "true"
  PROVIDERS__OPENID__CONFIG__GROUPS_MANAGEMENT__GROUPS_MAPPING: '[XXX]'
  PROVIDERS__OPENID__CONFIG__ROLES_SCOPE: opencti
  PROVIDERS__OPENID__CONFIG__GROUPS_SCOPE: opencti
Jipegien commented 10 months ago

@Kedae what type of additional info do you need?

Kedae commented 10 months ago

I honestly don't really know. We haven't been able to reproduce the bug and @SamuelHassine thought it could be linked to an error in the mapping of the group through OpenID. But currently we are unable to confirm or fix that.

Jipegien commented 9 months ago

@Lhorus6 What is the status for the customer on this?

SamuelHassine commented 9 months ago

Waiting for status here, @Lhorus6 @Kedae @Tonnulus.

Lhorus6 commented 9 months ago

Sorry, I missed the ping notifications Waiting answer from the customer, I'll keep you posted

Jipegien commented 8 months ago

Any news @Lhorus6 ?

SamuelHassine commented 8 months ago

Closing this for inactivity. Please re-open if needed.

Lhorus6 commented 8 months ago

Just FYI, still no news from the customer