Che-server to support custom email claim #21515

karatkep · 2022-06-28T13:04:32Z

Is your enhancement related to a problem? Please describe

Access token generated by Microsoft identity platform does not have email claim. As result we are getting java.lang.NullPointerException: Required non-null email:

-------------------------------------------------------------------
GMS: address=che-c9687bcc4-rf2hx-41803, cluster=EclipseLinkCommandChannel, physical address=10.0.1.17:7803
-------------------------------------------------------------------
2022-06-27 14:02:33,416[main]             [INFO ] [o.jgroups.protocols.pbcast.GMS 125]  - che-c9687bcc4-rf2hx-41803: no members discovered after 3095 ms: creating cluster as coordinator
2022-06-27 14:02:33,523[main]             [INFO ] [o.e.c.a.w.s.WorkspaceRuntimes 182]   - Configured factories for environments: '[kubernetes, no-environment]'
2022-06-27 14:02:33,523[main]             [INFO ] [o.e.c.a.w.s.WorkspaceRuntimes 183]   - Registered infrastructure 'kubernetes'
2022-06-27 14:02:33,579[main]             [INFO ] [o.e.c.a.w.s.WorkspaceRuntimes 694]   - Infrastructure is tracking 0 active runtimes that need to be stopped
2022-06-27 14:02:33,608[main]             [INFO ] [o.e.c.m.oidc.OIDCInfoProvider 71]    - Retrieving OpenId configuration from endpoint: https://sts.windows.net/{REPLACED}/v2.0/.well-known/openid-configuration
2022-06-27 14:02:34,212[main]             [INFO ] [o.e.c.m.oidc.OIDCInfoProvider 80]    - openid configuration = {REPLACED}
2022-06-27 14:02:34,329[main]             [INFO ] [o.e.c.a.c.u.ApiInfoLogInformer 36]   - Eclipse Che Api Core: Build info '7.50.0-SNAPSHOT' scmRevision '132e83a57e90100c6b5a4c604f591172f07b454e' implementationVersion '7.50.0-SNAPSHOT'
2022-06-27 14:02:34,415[main]             [WARN ] [p.s.AdminPermissionInitializer 69]   - Admin admin not found yet.
2022-06-27 14:02:34,430[main]             [INFO ] [o.e.c.c.metrics.MetricsServer 46]    - Metrics server started at port 8087 successfully 
27-Jun-2022 14:02:35.339 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/user/eclipse-che/tomcat/webapps/api.war] has finished in [39,010] ms
27-Jun-2022 14:02:35.341 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/home/user/eclipse-che/tomcat/webapps/swagger.war]
27-Jun-2022 14:02:35.619 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/user/eclipse-che/tomcat/webapps/swagger.war] has finished in [278] ms
27-Jun-2022 14:02:35.620 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/home/user/eclipse-che/tomcat/webapps/ROOT.war]
27-Jun-2022 14:02:39.011 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/home/user/eclipse-che/tomcat/webapps/ROOT.war] has finished in [3,391] ms
27-Jun-2022 14:02:39.016 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
27-Jun-2022 14:02:39.028 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [42897] milliseconds
2022-06-28 11:26:19,592[nio-8080-exec-1]  [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175]  - Servlet.service() for servlet [default] in context with path [/api] threw exception
java.lang.NullPointerException: Required non-null email
	at java.base/java.util.Objects.requireNonNull(Objects.java:246)
	at org.eclipse.che.api.user.server.UserManager.getByEmail(UserManager.java:187)
	at org.eclipse.che.api.user.server.UserManager.getUserByEmail(UserManager.java:409)
	at org.eclipse.che.api.user.server.UserManager.getOrCreateUser(UserManager.java:301)
	at org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.extractSubject(OidcTokenInitializationFilter.java:87)
	at org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.extractSubject(OidcTokenInitializationFilter.java:45)
	at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:143)
	at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185)
...

Access token structure:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI",
  "kid": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI"
}.{
  "aud": "6dae42f8-4368-4678-94ff-3960e28e3630",
  "iss": "https://sts.windows.net/{REPLACED}/",
  "iat": 1656412511,
  "nbf": 1656412511,
  "exp": 1656417802,
  "acr": "1",
  "aio": "{REPLACED}",
  "amr": [
    "pwd"
  ],
  "appid": "{REPLACED}",
  "appidacr": "1",
  "family_name": "Kluklu",
  "given_name": "Tratata",
  "groups": [
  {REPLACED}
  ],
  "ipaddr": "1.2.3.3",
  "name": "Tratata Kluklu",
  "oid": "{REPLACED}",
  "onprem_sid": "{REPLACED}",
  "puid": "{REPLACED}",
  "rh": "{REPLACED}",
  "scp": "user.read",
  "sub": "{REPLACED}",
  "tid": "{REPLACED}",
  "unique_name": "Tratata.Kluklu@gmail.com",
  "upn": "Tratata.Kluklu@gmail.com",
  "uti": "{REPLACED}",
  "ver": "1.0",
  "wids": [
    {REPLACED}
  ]
}.[Signature]

Describe the solution you'd like

Extend che-server to support configuration of email claim attribute. So user will be able to configure email claim attribute name via CheCluster custom resource:

spec:
  components:
    cheServer:
      debug: true
      extraProperties:
        CHE_OIDC_EMAIL__CLAIM: unique_name

The same as for name claim: https://github.com/eclipse-che/che-server/blob/4e1b90a5ae404ecfbe2c2fe0728ce3d9dd222ceb/multiuser/oidc/src/main/java/org/eclipse/che/multiuser/oidc/filter/OidcTokenInitializationFilter.java#L69

Describe alternatives you've considered

No response

Additional context

No response

The text was updated successfully, but these errors were encountered:

tolusha · 2022-06-29T07:01:53Z

I am wondering if CHE_OIDC_USERNAME__CLAIM: "unique_name" can actually help

karatkep · 2022-06-29T07:20:32Z

Unfortunately no.
It's always broken for the first-time login user due to email is required https://github.com/eclipse-che/che-server/blob/4e1b90a5ae404ecfbe2c2fe0728ce3d9dd222ceb/wsmaster/che-core-api-user/src/main/java/org/eclipse/che/api/user/server/UserManager.java#L186

karatkep · 2022-07-05T09:03:13Z

Opened eclipse-che/che-server#324 to implement proposed improvements.

karatkep added the kind/enhancement A feature request - must adhere to the feature request template. label Jun 28, 2022

che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jun 28, 2022

dkwon17 added severity/P2 Has a minor but important impact to the usage or development of the system. area/che-server and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jun 28, 2022

karatkep mentioned this issue Jul 5, 2022

feat(oidc): email claim configuration eclipse-che/che-server#324

Merged

9 tasks

karatkep closed this as completed Dec 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Che-server to support custom email claim #21515

Che-server to support custom email claim #21515

karatkep commented Jun 28, 2022

tolusha commented Jun 29, 2022

karatkep commented Jun 29, 2022

karatkep commented Jul 5, 2022

Che-server to support custom email claim #21515

Che-server to support custom email claim #21515

Comments

karatkep commented Jun 28, 2022

Is your enhancement related to a problem? Please describe

Describe the solution you'd like

Describe alternatives you've considered

Additional context

tolusha commented Jun 29, 2022

karatkep commented Jun 29, 2022

karatkep commented Jul 5, 2022