You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (Jira)" <ji...@apache.org> on 2020/09/02 14:34:00 UTC
[jira] [Comment Edited] (AIRAVATA-3319) Handle missing name and
email attributes from CILogon
[ https://issues.apache.org/jira/browse/AIRAVATA-3319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17189273#comment-17189273 ]
Marcus Christie edited comment on AIRAVATA-3319 at 9/2/20, 2:33 PM:
--------------------------------------------------------------------
In Keycloak, when federating identity with an OIDC IdP, preferred_username is set based on :
1. The {{preferred_username}} in the ID token from the OIDC IdP if not null,
2. Then {{email}} if not null
3. Finally if neither of the previous claims are available, {{sub}} is used as the preferred_username.
See https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L469-L477
We have seen instances where a user will end up with a username in Keycloak that is the CILogon {{sub}} identifier (something like "http://cilogon.org/serverA/users/12345"), and this must be because their IdP doesn't release the 'email' attribute. It doesn't look like CILogon ever returns {{preferred_username}}, so Keycloak will either use {{email}} or {{sub}}, in that order.
was (Author: marcuschristie):
In Keycloak, when federating identity with an OIDC IdP, preferred_username is set based on :
1. The `preferred_username` in the ID token from the OIDC IdP if not null,
2. Then `email` if not null
3. Finally if neither of the previous claims are available, `sub` is used as the preferred_username.
See https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L469-L477
We have seen instances where a user will end up with a username in Keycloak that is the CILogon `sub` identifier (something like "http://cilogon.org/serverA/users/12345"), and this must be because their IdP doesn't release the 'email' attribute. It doesn't look like CILogon ever returns `preferred_username`, so Keycloak will either use `email` or `sub`, in that order.
> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>
> Key: AIRAVATA-3319
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3319
> Project: Airavata
> Issue Type: New Feature
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses and names for new users of OAuth2/OIDC (OpenID Connect) clients.
> {quote}
> [https://groups.google.com/a/cilogon.org/forum/#!topic/outages/kksaYVrW1Io]
> This issue to design a user authentication flow that handles missing attributes and prompts the user to supply them as necessary.
> h2. Questions
> - [ ] Will we always get a {{preferred_username}} attribute? Question for CILogon team
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or don't log the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not complete. in workspace/signals.py and in the UI use this to prevent API calls and to prevent the user from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the email address has been supplied
> -- more generally, if the user updates their profile information and the email changes, need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile attributes
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)