reverseProxyAuth: If user has more groups than configured then login fails

[brunnels]

I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf

{
    teams: [
        {
            subjectId: "Administrators",
            teamName: "Administrators",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        },
        {
            subjectId: "Domain Users",
            teamName: "Domain Users",
            description: "All users, including anonymous.",
            permissions: [ ]
        }
    ]
}

When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs:

17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy
17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler'
io.cloudbeaver.DBWebException: Error:
Error saving user teams in database
.....
Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565)
        at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130)
        ... 61 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey"
  Detail: Key (team_id)=(Qsync) is not present in table "cb_team".

Here's my auth config as well

        authConfigurations: [
          {
            id: "reverseProxy",
            provider: "reverseProxy",
            displayName: "Reverse Proxy",
            disabled: false,
            iconURL: "",
            description: "Authelia Reverse Proxy with ingress-nginx",
            parameters: {
              full-name-header: "Remote-Name",
              user-header: "Remote-User",
              team-header: "Remote-Groups",
              team-delimiter: ",",
              logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}"
            }
          }
        ]

I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.

[EvgeniaBzzz]

Hi @brunnels We'll add the ability to create teams via proxy. Thank you for your request!

[brunnels]

@EvgeniaBzzz I'm not sure I would want it to create the teams. I just want it to ignore any groups sent in the proxy header that don't exist in the cloudbeaver config.

[EvgeniaBzzz]

Let me ask, what is the purpose of adding additional non-existent groups to the upstream auth?

[brunnels]

@EvgeniaBzzz It's a standard thing. The upstream reverse proxy is backed by ldap. This would automatically send any groups the user is a member of in the Remote-Groups header. There's no way to filter or modify this. Cloudbeaver should only care about groups/teams it knows about so I think it's a bug for it to raise an exception in this case.

[EvgeniaBzzz]

Ok, thanks for the clarification

[elixxx]

Hey, I struggel with the same issue, but for me it would nice to have the teams automatically created as I filter the forwarded groups already in keycloak. Maybe a configuration like „createUnkownTeams“ would be nice! :)

[EvgeniaBzzz]

@elixxx thanks for your comment, we will try to come up with a solution that will suit everyone