Enabling OIDC causes all robot accounts to generate error: failed to verify secret, username: robot$gitlab, error: failed to get oidc user info, error: <QuerySeter> no row

[sharkymcdongles]

It appears when OIDC is enabled the auth goes through OIDC even if the account is a robot account with no OIDC. This causes the logs to be inundated with this error message:

2021-07-02T14:55:11Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="a2af154dd57eca5e5a05a8ac4012a311"]: failed to verify secret, username: robot$gitlab, error: failed to get oidc user info, error: <QuerySeter> no row

Since robot accounts cannot even be linked to OIDC accounts is there some sort of way to stop these log messages and errors?

I am using v2.3.0. OIDC settings are:

OIDC Provider Name : azuread
OIDC Endpoint: https://login.microsoftonline.com/CENSORED/v2.0
OIDC Client ID: CENSORED
OIDC Client Secret: CENSORED
Group Claim Name: groups
OIDC Admin Group: CENSORED
OIDC Scope: openid,email,profile,offline_access
Verify Certificate: On
Automatic Onboarding: On
Username Claim: email

[devlifealways]

Same here, waiting for this fix to be out, using official helm chart with OIDC configuration

2023-01-30T13:21:56.445777863Z 2023-01-30T13:21:56Z [INFO] [/jobservice/logger/service.go:63]: Found export data cleanup job with schedule id : 1
2023-01-30T13:22:56.435408139Z 2023-01-30T13:22:56Z [INFO] [/pkg/notifier/notifier.go:205]: Handle notification with Handler 'AuditLog' on topic 'CREATE_PROJECT': ID-2 Name-gitlab Operator-hrouineb OccurAt-2023-01-30 13:22:56
2023-01-30T13:24:57.636334678Z 2023-01-30T13:24:57Z [INFO] [/controller/registry/controller.go:222]: Start regular health check for registries with interval 5m0s
2023-01-30T13:26:03.476178027Z 2023-01-30T13:26:03Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="2115c3f2-a75e-4742-aeed-83d52c917773"]: failed to verify secret, username: robot$gitlab+yinn, error: failed to get oidc user info, error: <QuerySeter> no row found
2023-01-30T13:26:03.483522200Z 2023-01-30T13:26:03Z [INFO] [/server/middleware/security/robot.go:71][requestID="2115c3f2-a75e-4742-aeed-83d52c917773"]: a robot security context generated for request GET /service/token
2023-01-30T13:28:44.937218308Z 2023-01-30T13:28:44Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="15cd5e03-4df9-4d74-83b9-9a01eec5de8d"]: failed to verify secret, username: robot$gitlab+yinn, error: failed to get oidc user info, error: <QuerySeter> no row found
2023-01-30T13:28:44.947952864Z 2023-01-30T13:28:44Z [INFO] [/server/middleware/security/robot.go:71][requestID="15cd5e03-4df9-4d74-83b9-9a01eec5de8d"]: a robot security context generated for request GET /service/token
2023-01-30T13:33:43.333409691Z 2023-01-30T13:33:43Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="206acf81-b59b-4564-b647-91f55b3bba86"]: failed to verify secret, username: robot$gitlab+yinn, error: failed to get oidc user info, error: <QuerySeter> no row found
2023-01-30T13:33:43.342219923Z 2023-01-30T13:33:43Z [INFO] [/server/middleware/security/robot.go:71][requestID="206acf81-b59b-4564-b647-91f55b3bba86"]: a robot security context generated for request GET /service/token
2023-01-30T13:34:02.902550312Z 2023-01-30T13:34:02Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="487cec82-70cf-438f-9638-11b3fe2d5eb4"]: failed to verify secret, username: robot$gitlab+yinn, error: failed to get oidc user info, error: <QuerySeter> no row found
2023-01-30T13:34:02.909669962Z 2023-01-30T13:34:02Z [INFO] [/server/middleware/security/robot.go:71][requestID="487cec82-70cf-438f-9638-11b3fe2d5eb4"]: a robot security context generated for request GET /service/token
2023-01-30T13:38:45.055944272Z 2023-01-30T13:38:45Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="95eb830b-e4df-4929-9700-dd5d9e5ea436"]: failed to verify secret, username: robot$hisqool, error: failed to get oidc user info, error: <QuerySeter> no row found
2023-01-30T13:38:45.063001194Z 2023-01-30T13:38:45Z [INFO] [/server/middleware/security/robot.go:71][requestID="95eb830b-e4df-4929-9700-dd5d9e5ea436"]: a robot security context generated for request GET /service/token

[devlifealways]

A misleading issue, the problem was not related to OIDC authentication, it was all about registry basic auth wrong credentials I was using.

[umberto10]

So is the fix available in version 2.7.1? Because I'm still having this issue in my latest helm install :<

[rgarcia89]

So is the fix available in version 2.7.1? Because I'm still having this issue in my latest helm install :<

This fix will be included in v2.8.0

[ryadama9]

Is there any work around without moving to 2.8.0? we are in 2.6.1

[nerzhul]

I have same issue on harbor 2.9 with admin local user

username: admin, error: failed to get oidc user info, error: <QuerySeter> no row found

[EsDmitrii]

the same

[yelassad]

the same on 2.7.3

[receperdogan]

Harbor 2.8.0 Actually it worked like two weeks, after that the same here as well.

EDIT: Sorry my mistake, we were using double domain to reach Harbor, I picked the wrong one. :) Just make sure, the Valid Redirect URI that you entered to your OIDC provider should be macthed with the Harbor URL.

[steadyk]

Harbor 2.9.1 We also see errors for the admin user:

2023-11-15T09:38:07Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="b260d299-612e-4bae-a771-bed7155e1767"]: failed to verify secret, username: admin, error: failed to get oidc user info, error: <QuerySeter> no row found

[peresureda]

Harbor 2.9.1 Upgrade:

2023-11-16T17:08:36Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="xxxxx"]: failed to verify secret, username: admin, error: failed to get oidc user info, error: <QuerySeter> no row found

[pwurbs]

Maybe it helps someone:

• We face the "QuerySeter no row found" error message all the time. It doesn't mean anything.
• We faced "docker login" 401 errors too. In our case the root cause was a mismatch of REGISTRY_HTPASSWD and REGISTRY_PASSWD in our K8S secret

If you get a 401 only when viewing the data of a specific image in Harbor UI (while viewing all other pages work), then you should check your Harbor secrets.

[KevinGimbel]

We face the same issue with v2.10.1

2024-04-06T05:01:16Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID=xxx]: failed to verify secret, username: admin, error: failed to get oidc user info, error: <QuerySeter> no row found

[sicko583]

I had the same issue with v.2.10.2

2024-06-20T03:07:55Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="334fcd11abfd96644d485b9ab971f268"]: failed to verify secret, username: robot, error: failed to get oidc user info, error: <QuerySeter> no row found
2024-06-20T03:07:55Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.27.63.71" requestID="334fcd11abfd96644d485b9ab971f268" user agent="docker/1.13.1 go/go1.10.3 kernel/5.10.16.3-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))"]: failed to authenticate user:robot, error:not supported

Refer to https://github.com/goharbor/harbor/issues/20629

[peters-david]

We are facing this issue also on v2.10.2.

[rajatrj16]

We are facing this issue on 2.11.0

failed to verify secret, username: admin, error: failed to get oidc user info, error: <QuerySeter> no row found

However, we have local system admin user, OIDC users for real users and robot accounts for pipeline tasks.

[SamirFarhat]

Same issue at date

failed to verify secret, username: ddd, error: failed to get oidc user info, error: <
QuerySeter> no row found

robot account not possible when using oidc, what a huge bug !!

[ianseyer]

Also now seeing this issue:

failed to verify secret, username: admin, error: failed to get oidc user in
fo, error: <QuerySeter> no row found

[ianseyer]

Oddly enough, with debug logging enabled, I see harbor-staging-core-5fd949656c-sbskc 2024-10-21T17:32:52Z [DEBUG] [/core/auth/authenticator.go:145]: Current AUTH_MODE is db_auth when I attempt to use the admin credentials via CLI

This is not true, it is set to OIDC (configured via terraform, indicated as such via the UI).

I assume this is because the admin user is stored in the DB?