-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't login with user without email (Keycloak provider) #769
Comments
I'll post the Pull Request today or tomorrow which fixes the issue. |
I also wonder if it's not a bug in case we set |
I think I would have expected a user to be allowed if they have no email and the wildcard was set. Not sure if this would constitute a breaking change or not 🤔 |
Good question @JoelSpeed. I would say that it's not breaking and it wasn't explicitly described in docs before. I think a lot of people could have expected that ALL emails will be validated as docs say |
I've thought many times this line Line 100 in ef08d01
I think when I last looked into it, this behavior is why so many token -> session converter parts of the code set the session.Email to claim.Subject if there's no claim.Email. |
OK, guys. Regarding your comments here and in PR - I see that is going to be released with the next minor or major release. When do you plan such a release? When could we expect it to land in some official Docker image? BTW. Are there any more actions required from my side for now? |
One more thing which might be also the solution for security concerns, tool stability and probable fastest release date. Maybe we could introduce some extra flag like What do you think? |
I get a sense that with what @macrame reported in #766 this might actually be due to the emails not being available in the checked claims. Either because they're not set properly by the mappers, or because the claims are not read properly. I'm digging a bit more right now. I'm experiencing the same problem. |
Nevermind, I have no idea what the problem is, and it's not the mappers. |
Nevernevermind. It was the mappers. The default mapper for groups in Keycloak does something, and it's not the right thing. Creating a custom mapper for groups with the |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
Hi, I would like you to reconsider this issue. |
@gustabart If you are using Keycloak I recommend you connect to it via the OIDC Provider instead of the Keycloak provider until this PR is merged: #1107 The |
Otherwise set |
Thanks for the reply Nick. func newValidatorImpl(domains []string, usersFile string,
done <-chan bool, onUpdate func()) func(string) bool {
validUsers := NewUserMap(usersFile, done, onUpdate)
var allowAll bool
for i, domain := range domains {
if domain == "*" {
allowAll = true
continue
}
domains[i] = fmt.Sprintf("@%s", strings.ToLower(domain))
}
validator := func(email string) (valid bool) {
if email == "" {
return
}
email = strings.ToLower(email)
for _, domain := range domains {
valid = valid || strings.HasSuffix(email, domain)
}
if !valid {
valid = validUsers.IsValid(email)
}
if allowAll {
valid = true
}
return valid
}
return validator
} The first if is the problem, when email == "", the function returns regardless of whether allowAll is true. |
If you are using this for Bearer auth, this is the fallback code for no oauth2-proxy/providers/oidc.go Line 192 in 5497310
If you are interactive, and you still get nothing from the userinfo endpoint during the EnrichSession stage, I recommend you have in |
Ok, with --oidc-email-Claim set to sub, it works! |
We have the use case where we want to allow users defined in KeyCloack to log in to some website after successful login and we use OAuth2 Proxy for that. The issue is that we have those user defined without email addresses in KeyCloak and OAuth2 proxy reports an error because of that.
Expected Behavior
I expect that it is possible to login for users that do not have email defined in KeyCloak.
Current Behavior
As for now OAuth2 Proxy reports 403 error:
With following line in logs:
172.17.0.1:40206 - - [2020/09/08 10:19:38] [AuthFailure] Invalid authentication via OAuth2: unauthorized
Possible Solution
Introduce some kind of option/flag to allow to login email-less users and modify email validator code (
oauth2-proxy/validator.go
Line 90 in d69fd6a
Steps to Reproduce (for bugs)
Your Environment
Code references
Error log source:
oauth2-proxy/oauthproxy.go
Line 817 in 73f0094
Validator login for empty email:
oauth2-proxy/validator.go
Line 90 in d69fd6a
The text was updated successfully, but these errors were encountered: