ansible/awx

oidc soical login does not support group mapping

Open

#13226 opened on Nov 22, 2022

View on GitHub
 (7 comments) (6 reactions) (0 assignees)Python (13,071 stars) (3,333 forks)batch import
communitycomponent:apicomponent:authenticationcomponent:uihelp wantedtype:bug

Description

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.

Bug Summary

oidc login fails with python exception when oidc auth flow response returns groups attribute.

AWX version

21.8.0

Select the relevant components

  • UI
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

docker development environment

Modifications

no

Ansible version

n/a

Operating system

n/a

Web browser

Firefox, Chrome, Edge

Steps to reproduce

configure oidc to use keylcoak sso. enable groups to be returned in the oidc response. awx will throw the following error when creating new users via the oidc login flow:

TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead. 2022-11-22 20:51:57,430 ERROR [cba2cb8d] django.request Internal Server Error: /sso/complete/oidc/

full stack trace:

2022-11-22 20:51:57,430 ERROR [cba2cb8d] django.request Internal Server Error: /sso/complete/oidc/ Traceback (most recent call last): File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/core/handlers/exception.py", line 47, in inner response = get_response(request) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/core/handlers/base.py", line 181, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/usr/lib64/python3.9/contextlib.py", line 79, in inner return func(*args, **kwds) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view return view_func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/utils.py", line 46, in wrapper return func(request, backend, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/views.py", line 31, in complete return do_complete(request.backend, _do_login, user=request.user, File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/actions.py", line 45, in do_complete user = backend.complete(user=user, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 40, in complete return self.auth_complete(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/oauth.py", line 401, in auth_complete return self.do_auth(response['access_token'], response=response, File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/oauth.py", line 413, in do_auth return self.strategy.authenticate(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/strategy.py", line 105, in authenticate return authenticate(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper return func(*func_args, **func_kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/contrib/auth/__init__.py", line 76, in authenticate user = backend.authenticate(request, **credentials) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 80, in authenticate return self.pipeline(pipeline, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 83, in pipeline out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 113, in run_pipeline result = func(*args, **out) or {} File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/pipeline/user.py", line 119, in user_details setattr(user, name, value) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/models/fields/related_descriptors.py", line 545, in __set__ raise TypeError( TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead. 2022-11-22 20:51:57,430 ERROR [cba2cb8d] django.request Internal Server Error: /sso/complete/oidc/ Traceback (most recent call last): File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/core/handlers/exception.py", line 47, in inner response = get_response(request) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/core/handlers/base.py", line 181, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/usr/lib64/python3.9/contextlib.py", line 79, in inner return func(*args, **kwds) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view return view_func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/utils.py", line 46, in wrapper return func(request, backend, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/views.py", line 31, in complete return do_complete(request.backend, _do_login, user=request.user, File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/actions.py", line 45, in do_complete user = backend.complete(user=user, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 40, in complete return self.auth_complete(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/oauth.py", line 401, in auth_complete return self.do_auth(response['access_token'], response=response, File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/oauth.py", line 413, in do_auth return self.strategy.authenticate(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_django/strategy.py", line 105, in authenticate return authenticate(*args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper return func(*func_args, **func_kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/contrib/auth/__init__.py", line 76, in authenticate user = backend.authenticate(request, **credentials) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 80, in authenticate return self.pipeline(pipeline, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 83, in pipeline out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/backends/base.py", line 113, in run_pipeline result = func(*args, **out) or {} File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/social_core/pipeline/user.py", line 119, in user_details setattr(user, name, value) File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/models/fields/related_descriptors.py", line 545, in __set__ raise TypeError( TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead. 2022-11-22 20:51:57,433 DEBUG [cba2cb8d] awx.analytics.performance request: <WSGIRequest: GET '/sso/complete/oidc/?state=Qw0PHaBDDAfxMjprnNpAvU7nQSB6ewex&session_state=c5ce4638-ffb9-4e1e-b11e-922588481534&code=52158dbc-4d16-469a-9bdf-f65b6e294507.c5ce4638-ffb9-4e1e-b11e-922588481534.de394b3f-9c5f-43b8-99a9-84b43254e08f'>, response_time: 0.763s 172.18.0.1 GET /sso/complete/oidc/?state=Qw0PHaBDDAfxMjprnNpAvU7nQSB6ewex&session_state=c5ce4638-ffb9-4e1e-b11e-9

Expected results

login succeeds and user is able to login with oidc groups mapped to awx groups/teams

Actual results

login fails

Additional information

No response

Contributor guide

Tech stack
pythondjango
Domain
backendauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
PythonDjangoOIDC
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
The issue occurs in the social core pipeline's user details function at line 119 of user.py, where it tries to assign groups directly to a user object via setattr, which is invalid for Django many to many relations. The fix should replace direct assignment with groups.set() or handle the groups field specially. Check the AWX customizations in the OIDC pipeline to see if there is a custom pipeline step that should handle group mapping.