OIDC auth error

[td00]

Describe the bug When trying to authenticate via OIDC users get successfully redirected to the auth portal. The auth is successful but there seems to be a problem with the processing of the reply. The objects all have the required claims (except for image, but I doubt that this is a required field).

To Reproduce Steps to reproduce the behavior:

1. Configure OIDC
2. Configure App in OIDC provider
3. Authenticate via OIDC
4. See error

Expected behavior A successful login.

Screenshots

rallly-1     | [next-auth][error][adapter_error_createUser]
rallly-1     | https://next-auth.js.org/errors#adapter_error_createuser
rallly-1     | Invalid `prisma.user.create()` invocation:
rallly-1     |
rallly-1     | {
rallly-1     |   data: {
rallly-1     |     email: undefined,
rallly-1     |     image: undefined,
rallly-1     |     emailVerified: null,
rallly-1     | +   name: String
rallly-1     |   }
rallly-1     | }
rallly-1     |
rallly-1     | Argument `name` is missing. {
rallly-1     |   message: '\n' +
rallly-1     |     'Invalid `prisma.user.create()` invocation:\n' +
rallly-1     |     '\n' +
rallly-1     |     '{\n' +
rallly-1     |     '  data: {\n' +
rallly-1     |     '    email: undefined,\n' +
rallly-1     |     '    image: undefined,\n' +
rallly-1     |     '    emailVerified: null,\n' +
rallly-1     |     '+   name: String\n' +
rallly-1     |     '  }\n' +
rallly-1     |     '}\n' +
rallly-1     |     '\n' +
rallly-1     |     'Argument `name` is missing.',
rallly-1     |   stack: 'PrismaClientValidationError: \n' +
rallly-1     |     'Invalid `prisma.user.create()` invocation:\n' +
rallly-1     |     '\n' +
rallly-1     |     '{\n' +
rallly-1     |     '  data: {\n' +
rallly-1     |     '    email: undefined,\n' +
rallly-1     |     '    image: undefined,\n' +
rallly-1     |     '    emailVerified: null,\n' +
rallly-1     |     '+   name: String\n' +
rallly-1     |     '  }\n' +
rallly-1     |     '}\n' +
rallly-1     |     '\n' +
rallly-1     |     'Argument `name` is missing.\n' +
rallly-1     |     '    at An (/app/node_modules/@prisma/client/runtime/library.js:114:7526)\n' +
rallly-1     |     '    at _n.handleRequestError (/app/node_modules/@prisma/client/runtime/library.js:121:7392)\n' +
rallly-1     |     '    at _n.handleAndLogRequestError (/app/node_modules/@prisma/client/runtime/library.js:121:7057)\n' +
rallly-1     |     '    at _n.request (/app/node_modules/@prisma/client/runtime/library.js:121:6741)\n' +
rallly-1     |     '    at async l (/app/node_modules/@prisma/client/runtime/library.js:130:9355)',
rallly-1     |   name: 'PrismaClientValidationError'
rallly-1     | }```

**Desktop (please complete the following information):**

- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]

**Smartphone (please complete the following information):**

- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]

**Additional context**
Add any other context about the problem here.

Supported Scopes for the auth tool:

- openid (sub)
- profile (name, preferred_username)
- email (email, email_verified)
- groups (groups)

Supported claims for the auth tool:

- sub (string)
- name (string)
- preferred_username (string)
- email (string)
- email_verified (bool)
- groups (array of strings)

[lukevella]

You may need to set OIDC_NAME_CLAIM_PATH to tell the the app where to find the name attribute in your token. By default it looks for name at the top level.

[td00]

AFAIK the name claim is also at top level

This is an example of the profile scope:

{
  "id": 10000,
  "name": "Test User",
  "nickname": "testuser"
  "email": "testuser@example.com",
  "groups": [
    "test_group",
    "users"
  ],
}

I also used OIDC_NAME_CLAIM_PATH to test nickname & preferred_username but always get the same result as posted initially.

[lukevella]

What are you using as your identity provider?

[td00]

We’re using „uffd“ ( https://git.cccv.de/uffd/uffd )

as far as I understand the rallly code everything that is needed is supported by uffd

[lukevella]

Yes, it should be compatible. That said, it doesn't seem like there is an issue with Rallly here. It's failing to create a user because it didn't get a name which is required. From the looks of it, it's not getting any information from your identity provider. Could be some misconfiguration or an issue with the identity provider itself.

Since it doesn't seem like there's anything we can do I'll close this but feel free to reopen if you can point to an issue within this repo.