search

okta / okta-sdk-golang

A Golang SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
https://github.com/okta/okta-sdk-golang
Other
176 stars 143 forks source link

Create User with email different from logon fails unexpectedly #281

Closed tgoodsell-tempus closed 2 years ago

tgoodsell-tempus commented 2 years ago

Describe the bug?

I believe this is primarily an API bug, however since I'm using the golang sdk for this I'll also paste this here while I work on a support case of my own.

When I attempt to create a user in Okta where I'm setting a different email value from the logon value, it's clear that is not being accepted correctly upstream. The actual "error" I'm receiving is a duplicate user entry failure, when I set the email to an account which already has a Okta account with that value as a login, while my login is something which does not exist.

What is expected to happen?

I'm going to paste the raw http request value from the SDK instead of the objects, since this shows the issue most clearly.

With the following create user request:

POST /api/v1/users?sendEmail=true HTTP/1.1
Host: tempus.oktapreview.com
User-Agent: okta-sdk-golang/2.9.2 golang/go1.17.6 darwin/arm64
Content-Length: 295
Accept: application/json
Authorization: SSWS <redacted>
Content-Type: application/json
Accept-Encoding: gzip

{\"profile\":{\"approvalManager\":\"thomas.goodsell@tempus.com\",\"displayName\":\"Thomas Goodsell (test)\",\"email\":\"thomas.goodsell@tempus.com\",\"firstName\":\"Thomas\",\"lastName\":\"Goodsell (test)\",\"login\":\"thomas.goodsell+test@example.com\",\"manager\":\"thomas.goodsell@tempus.com\",\"userCategory\":\"TestUser\"}}

I would expect that to be a successful user create, since the login value does not exist and email does not have Value must be unique for each user checked in the Okta profile.

What is the actual behavior?

This fails with the following error return from the API (this is the error value output in golang):

the API returned an error: Api validation failed: com.saasure.core.services.user.InvalidUserProfileException: Could not create user due to invalid profile: com.saasure.framework.validation.util.SimpleErrors: 1 errors
Field error in object 'newUser' on field 'login': rejected value [thomas.goodsell@tempus.com]; codes [notUniqueWithinOrg.newUser.login,notUniqueWithinOrg.login,notUniqueWithinOrg.java.lang.String,notUniqueWithinOrg]; arguments []; default message [null]. Causes: errorSummary: login: An object with this field already exists in the current organization

Full response example:

HTTP/2.0 400 Bad Request
Connection: close
Cache-Control: no-cache, no-store
Content-Security-Policy: default-src 'self' tempus.oktapreview.com *.oktacdn.com; connect-src 'self' tempus.oktapreview.com tempus-admin.oktapreview.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com tempus.kerberos.oktapreview.com https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' tempus.oktapreview.com *.oktacdn.com; style-src 'unsafe-inline' 'self' tempus.oktapreview.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' tempus.oktapreview.com tempus-admin.oktapreview.com login.okta.com; img-src 'self' tempus.oktapreview.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data: blob:; font-src 'self' tempus.oktapreview.com data: *.oktacdn.com fonts.gstatic.com; report-uri https://okta.report-uri.com/r/d/csp/enforce; report-to csp
Content-Security-Policy-Report-Only: default-src 'self' tempus.oktapreview.com *.oktacdn.com; connect-src 'self' tempus.oktapreview.com tempus-admin.oktapreview.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com tempus.kerberos.oktapreview.com https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' tempus.oktapreview.com *.oktacdn.com; style-src 'unsafe-inline' 'self' tempus.oktapreview.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' tempus.oktapreview.com tempus-admin.oktapreview.com login.okta.com; img-src 'self' tempus.oktapreview.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data: blob:; font-src 'self' tempus.oktapreview.com data: *.oktacdn.com fonts.gstatic.com; report-uri https://okta.report-uri.com/r/d/csp/reportOnly; report-to csp
Content-Type: application/json
Date: Mon, 21 Feb 2022 22:31:21 GMT
Expect-Ct: report-uri=\"https://oktaexpectct.report-uri.com/r/t/ct/reportOnly\", max-age=0
Expires: 0\r\nP3p: CP=\"HONK\"\r\nPragma: no-cache\r\nPublic-Key-Pins-Report-Only: pin-sha256=\"jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=\"; pin-sha256=\"axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=\"; pin-sha256=\"SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=\"; pin-sha256=\"ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=\"; max-age=60; report-uri=\"https://okta.report-uri.com/r/default/hpkp/reportOnly\"
Report-To: {\"group\":\"csp\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https://okta.report-uri.com/a/d/g\"}],\"include_subdomains\":true}
Server: nginx
Set-Cookie: sid=\"\"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: autolaunch_triggered=\"\"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=<redacted>; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=315360000; includeSubDomains
X-Content-Type-Options: nosniff
X-Okta-Request-Id: YhQSuazHCJtfAXZdUb4QCQAAACI
X-Rate-Limit-Limit: 600
X-Rate-Limit-Remaining: 599
X-Rate-Limit-Reset: 1645482741
X-Xss-Protection: 0

{\"errorCode\":\"E0000001\",\"errorSummary\":\"Api validation failed: com.saasure.core.services.user.InvalidUserProfileException: Could not create user due to invalid profile: com.saasure.framework.validation.util.SimpleErrors: 1 errors\\nField error in object 'newUser' on field 'login': rejected value [thomas.goodsell@tempus.com]; codes [notUniqueWithinOrg.newUser.login,notUniqueWithinOrg.login,notUniqueWithinOrg.java.lang.String,notUniqueWithinOrg]; arguments []; default message [null]\",\"errorLink\":\"E0000001\",\"errorId\":\"oaeU7V2xP_rQi2Hbgw9xBDRcQ\",\"errorCauses\":[{\"errorSummary\":\"login: An object with this field already exists in the current organization\"}]}

Based on my request above, it's clearly interpreting the email value as the login value, which is unexpected behavior and not documented in the API docs.

Reproduction Steps?

Attempt to create a new user using the API, where the email value matches a user who currently exists.

Additional Information?

No response

Golang Version

go version go1.17.6 darwin/arm64

SDK Version

github.com/okta/okta-sdk-golang/v2 v2.9.2

OS version

No response

tgoodsell-tempus commented 2 years ago

Added a full response example in here, mainly for my own tracking

bogdanprodan-okta commented 2 years ago

Hi, @tgoodsell-tempus! Thanks for submitting this issue! I'll try to find a team responsible for this functionality, maybe the can give more context of what is going on.

tgoodsell-tempus commented 2 years ago

@bogdanprodan-okta, I'll close this as I got resolution from Okta support, this was related to a hidden feature flag for self-service registration.

Specifically:

This is happening due to a prerequisite of feature flags that are mandatory for self-service registration that links the login with the email so it causes this constraint. The only solution is to either disable the self-service registration functionality or simply use different email addresses for each account.

In my case, the self-service registration page had already been showing as disabled, so I had to have the support team disable the other flags for me.