Hello Guys Please help me with a problem while integrating D DataHub #ui

Hello Guys Please help me with a problem while in...

rich-policeman-92383

06/07/2021, 9:30 AM

Hello Guys Please help me with a problem while integrating Datahub frontend with enterprise AD using OIDC. I doubt there is some issue with the claim rules. AD: Microsoft Windows 2016 Error:

Copy code

09:15:41 [application-akka.actor.default-dispatcher-19] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:41 [application-akka.actor.default-dispatcher-19] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:43 [application-akka.actor.default-dispatcher-19] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:43 [application-akka.actor.default-dispatcher-19] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:45 [application-akka.actor.default-dispatcher-17] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:45 [application-akka.actor.default-dispatcher-17] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:47 [application-akka.actor.default-dispatcher-4] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:47 [application-akka.actor.default-dispatcher-4] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:49 [application-akka.actor.default-dispatcher-3] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:49 [application-akka.actor.default-dispatcher-3] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:50 [application-akka.actor.default-dispatcher-3] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
09:15:50 [application-akka.actor.default-dispatcher-3] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
09:15:52 [application-akka.actor.default-dispatcher-20] ERROR o.p.o.c.extractor.OidcExtractor - Bad authentication response, error=server_error
09:15:52 [application-akka.actor.default-dispatcher-17] ERROR application -
 ->

play.api.UnexpectedException: Unexpected exception[CompletionException: java.lang.RuntimeException: Failed to authenticate current user. Cannot find valid identity provider profile in session]
        at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)
        at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)
        at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363)
        at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361)
        at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
        at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:91)
        at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91)
        at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:90)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:43)
        at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
        at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
        at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
        at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.util.concurrent.CompletionException: java.lang.RuntimeException: Failed to authenticate current user. Cannot find valid identity provider profile in session
        at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
        at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
        at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1592)
        at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56)
        ... 6 common frames omitted
Caused by: java.lang.RuntimeException: Failed to authenticate current user. Cannot find valid identity provider profile in session
        at react.auth.AuthModule.handleOidcCallback(AuthModule.java:154)
        at react.auth.AuthModule.access$100(AuthModule.java:36)
        at react.auth.AuthModule$2.perform(AuthModule.java:86)
        at react.auth.AuthModule$2.perform(AuthModule.java:79)
        at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56)
        at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
        ... 7 common frames omitted

Copy code

# Optional OIDC configs
AUTH_OIDC_USER_NAME_CLAIM=SamAccountName
#AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)
AUTH_OIDC_SCOPE=openid

big-carpet-38439

06/07/2021, 2:36 PM

What happens if you use the default username claim? Is that not stored in your identity store?

big-carpet-38439

06/07/2021, 2:37 PM

And if that isn't working, are you sure that SamAccountName is provided in the openid scope by your Identity provider?

rich-policeman-92383

06/07/2021, 5:36 PM

@big-carpet-38439 using username results in error "missing attribute username". IT guy povided me the screenshot containing the defined claim rules. Let me ask him if SamAccountName is provided or not

big-carpet-38439

06/07/2021, 5:36 PM

ask him if samaccountname is provided via the default openid scope

big-carpet-38439

06/07/2021, 5:36 PM

or if you need to add an additional requested scope

rich-policeman-92383

06/22/2021, 9:07 AM

@big-carpet-38439 Now i have enabled scopes: allatclaims, email, openid, profile Claim rules is set as mentioned in the screenshot but the user is unable to logout. On clicking the logout button user is redirected to the homepage. Can you please suggest on this.

big-carpet-38439

06/22/2021, 1:58 PM

Hi there. Someone else is currently working on the IdP logout implementation

big-carpet-38439

06/22/2021, 1:58 PM

Currently logout only logs you out of DataHub

big-carpet-38439

06/22/2021, 1:58 PM

and not out of the IdP session

rich-policeman-92383

06/22/2021, 2:08 PM

So does this mean that user will be redirected to the datahub homepage on logout

big-carpet-38439

06/22/2021, 2:17 PM

User should be redirected to /login page, not the home page

big-carpet-38439

06/22/2021, 2:17 PM

If I remember correctly

big-carpet-38439

06/22/2021, 2:17 PM

Looking at the code now

big-carpet-38439

06/22/2021, 2:18 PM

Okay I see what's happening

big-carpet-38439

06/22/2021, 2:18 PM

It's deleting your DataHub session and then you are redirected to /authenticate which then uses the IdP cookies to auto log you in. Since the IdP session was not explicitly killed this results in redirect to the homepage

big-carpet-38439

06/22/2021, 2:19 PM

I've created an issue for this and going to work with the person who is implementing to get it fixed. Thanks for reporting

9 Views

Open in Slack

Previous Next