search

reanahub / reana-server

REANA API server
http://reana-server.readthedocs.io/
MIT License
5 stars 37 forks source link

login: nicer CERN SSO login behaviour when access is denied due to lesser LOA role #514

Open tiborsimko opened 2 years ago

tiborsimko commented 2 years ago

Current behaviour

When using CERN SSO, when a user authenticates successfully using Keycloak, but his role is not amongst the ones required by the REANA application, the login succeeds but the user is then redirected to the page saying "Bad gateway".

(Example: we require CERN users or eduGAIN users, but the user authenticates via GitHub social accounts, which is of lesser Level of Assurance (LOA).)

This is because internally we get a reana-server rest-api container traceback of the form:

[2022-07-06 14:59:37,034] WARNING in cern_openid: User roles None are not one of ['cern_user', 'edugain_user']
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/invenio_oauthclient/contrib/cern_openid.py", line 313, in account_info_rest
    return _account_info(remote, resp)
  File "/usr/local/lib/python3.8/site-packages/invenio_oauthclient/contrib/cern_openid.py", line 276, in _account_info
    raise OAuthCERNRejectedAccountError(
invenio_oauthclient.errors.OAuthCERNRejectedAccountError: ("User roles None are not one of ['cern_user', 'edugain_user']", <flask_oauthlib.client.OAuthRemoteApp object at 0x7f8d6a9e7490>, ...

...

   raise OAuthCERNRejectedAccountError(
invenio_oauthclient.errors.OAuthCERNRejectedAccountError: ("User roles None are not one of ['cern_user', 'edugain_user']", <flask_oauthlib.client.OAuthRemoteApp object at 0x7f8d6a9e7490>,

...

  File "/usr/local/lib/python3.8/site-packages/blinker/base.py", line 266, in send
    return [(receiver, receiver(sender, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/blinker/base.py", line 266, in <listcomp>
    return [(receiver, receiver(sender, **kwargs))
  File "/code/./reana_server/utils.py", line 291, in _create_and_associate_oauth_user
    user_email = account_info["user"]["email"]
TypeError: 'Response' object is not subscriptable

i.e. the exception is not well handled.

Expected behaviour

The user should see a page saying something like

Sorry, you are not authorised to use `reana.cern.ch`.
If you think this is a mistake, please contact _REANA administrators_ .

with a mailto link how to contact humans.

tiborsimko commented 2 years ago

Note: this is observed only when multiple rules are being set up at the OIDC Keycloak application rule side. Since it's not going to be the default way of deployment, this issue can sleep for much later.