Auth0+Mozilla LDAP Access broken / needs an extra loop to person-api

[tarekziade]

The Auth0 - Mozilla LDAP integration has been changed

we need to do an extra call to https://github.com/mozilla-iam/person-api to get the user email.

oidc2 gets a single key 'sub', with 'ad|Mozilla-LDAP|\<user>'

and we need to call

curl --request GET --url https://person-api.sso.allizom.org/v1/profile/ad|Mozilla-LDAP|\<user>

to get the mozilla email and match it in the servicebook database.

that service needs an oauth2 dance as well. I wonder if I can pass along those we get from the initial Auth0 dance. @gdestuynder ?

cc @ckolos

[gdestuynder]

Hi,

I wonder if you have some more information on:

The Auth0 - Mozilla LDAP integration has been changed

Regardless though, you can call the person API. Note that the allizom.org domain runs the dev version of Person API, you probably want the prod version (https://person-api.sso.mozilla.com/{api-version}/) even for your own dev needs

your client id can be authorized to request person api scopes (you have to pass the right scope and audience in that case during your request). you can get it authorized by creating an sso request in servicenow, or just ping me with your your client_id

[tarekziade]

I wonder if you have some more information on:

The Auth0 - Mozilla LDAP integration has been changed

Yes. Previously, the OIDC returned a 'nickname' and 'emails' fields I used.

It looks like now we get a 'sub' field along with a 'https://sso.mozilla.com/claim/README_FIRST' key with the value 'Please refer to https://github.com/mozilla-iam/person-api in order to query Mozilla IAM CIS user profile data'

so that broke the login

[gdestuynder]

Ah alright - yes. There was a communication on this a while back, auth0 no longer passes this data through the id_token or profile endpoint. You should have an email somewhere in your inbox from Jabba back in november or so - but if you're curious this is what happened: https://auth0.com/docs/api-auth/intro

Note, to be precise:

nickname and email are returned but emails is not, neither are nicknames (extra 's') if email is sufficient for you, you could also use that. Else, Person-API.

[tarekziade]

ok thanks @gdestuynder

yeah email should work, but I did not see it in the data sent back...

@ckolos we should try that and see how it works.

otherwise, one possible hack is to extract the last part of sub and add @mozilla.com since this login is only for us.

[gdestuynder]

make sure your scope request includes profile or email (ie: scope: openid profile for example) You can also play with it on https://prod.testrp.security.allizom.org/ to get a visual idea of what is returned

if for some reason you still do not see email let me know what your client_id is (its a public value)

note: i'd advise against parsing sub for access control. if this is staff only, you can parse https://sso.mozilla.com/claim/groups and match on hris_is_staff we can also add an upstream control to enforce it at login (see https://github.com/mozilla-iam/mozilla-iam/#2-stage-access-validation)

[tarekziade]

note to myself:

at https://github.com/mozilla/servicebook-web/blob/master/serviceweb/auth.py#L99 change it to ,

        self.oidc = OIDCAuthentication(self.app,
                                       provider_configuration_info=provider,
                                       client_registration_info=client,
                                       extra_request_args={"scope": ["openid", "profile"]})

and then see what https://github.com/mozilla/servicebook-web/blob/master/serviceweb/auth.py#L11 gets from the service - then adapt the function to grab the email

and move the ldap lookup prior to the github lookup

[ckolos]

and then see what https://github.com/mozilla/servicebook-web/blob/master/serviceweb/auth.py#L11 gets from the service - then adapt the function to grab the email

I added the following on https://github.com/mozilla/servicebook-web/blob/master/serviceweb/auth.py#L12 to see if we could inspect the structure of oidc_user:

for key in oidc_user:
    print("oidc_user: {0} -> {1}".format(key, oidc_user[key]))

oidc_user: sub -> ad|Mozilla-LDAP|<username>                                                                                   
oidc_user: https://sso.mozilla.com/claim/groups -> [<all LDAP groups <username> is a member of]                                                             

I don't see any mention of email(s) in the object.

[karlht]

Please let me know if there's anything I can do to help here, or if you need a tester once it works.

Thanks.

[tarekziade]

@ckolos can you give the client_id value to @gdestuynder so we can investigate on the auth0 dashboard? Thanks!

[ckolos]

done via IRC

[gdestuynder]

i had a quick look at the code (the rp/client setup seems ok on our side), and i suspect you're not getting the results back from the userinfo endpoint (flask.session['userinfo'] has it i think). The userinfo endpoint is queried when the profile scope is present (as per above)

Normally, auth0 copies the fields from the userinfo endpoint into the id_token, though if you want to make sure you could also try to request the scope openid email profile (oidc let you request each field individually). It might also be the flask-pyoidc which strips the non-essential field away before passing them back

with all that said, https://github.com/zamzterz/Flask-pyoidc/blob/master/example/app.py#L24 should absolutely work and looks 100% ok on our side

[davehunt]

@tarekziade is there anything I can do to help here? I'm unable to test login locally because I don't have the necessary configuration values for oidc. Where can I get those from?

[tarekziade]

we need someone with an access to the deployment to pdb in and understand what we get back from the auth0 service it's hard to do locally in a different env

[ckolos]

@tarekziade - ping me tomorrow morning (2018/07/12) and I'll be happy to help

[karlht]

Folks, I don't mean to be a nuisance here, but if we're going to be using Servicebook as the source of truth for our projects, I need to be able to edit projects. I currently can't, and have not been able to for several weeks. Can somebody give me a timeframe for when this is going to be fixed?

[gdestuynder]

hi, if you need any auth0/oidc help "live" feel free to also ping me or put a meeting on my calendar and I'd be happy to help with whatever I can