OpenID users are not associated with a team

[dsaffie]

Current Behavior:

User logs in with OpenID for the first the time via Azure Active Directory. The 'OpenID Connect Users' page on DT shows user has been created, but is not associated with any team as was expected. As Administrator, adding the new OpenID user to a team updates the user's profile to confirm their association with a team, but the 'Teams' page does not show the user is part of a team. Manually giving the user individual permissions does work.

I have been successful creating a Managed User and associating that user with a team.

Steps to Reproduce:

1. Configure Azure App Registration for Dependency-Track (i.e. set Redirect URL)
2. Modify docker-compose.yml to configure OpenID as follows (sensitive info is redacted):

API Server:

- ALPINE_OIDC_ENABLED=true
    
- ALPINE_OIDC_ISSUER=https://login.microsoftonline.com/<tenant-id>/v2.0

- ALPINE_OIDC_CLIENT_ID=<client-id>

- ALPINE_OIDC_USERNAME_CLAIM=preferred_username

- ALPINE_OIDC_TEAMS_CLAIM=groups

- ALPINE_OIDC_USER_PROVISIONING=true

- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true

Frontend:

- OIDC_ISSUER=https://login.microsoftonline.com/<tenant-id>/v2.0
      
- OIDC_CLIENT_ID=<client-id>

3. Start Dependency-Track via Docker-Compose
4. Create security group in Azure Active Directory and add users
5. Log in to Dependency-Track as Administrator
6. From 'Access Management' add a new OpenID Connect Group using the group ID from step 4 and map the group to the Administrators team
7. One of the members of the security group created in step 4 logs in to Dependency-Track via OpenID, but has no permissions
8. As Administrator, confirm user profile exists under 'OpenID Connect Users' but user is not associated with any team
9. Manually add user to Administrators team, but the 'Teams' page does not show user associated with Administrators team (or any other team)

Expected Behavior:

OpenID Connect User should be a member of the team mapped to their OpenID Connect Group after logging in for the first time. Manually adding the user to a team should make them a member of that team.

Environment:

• Dependency-Track Version: 4.4.1
• Distribution: Docker
• BOM Format & Version: JSON
• Database Server: H2
• Browser: Google Chrome 99.0.4844.74

Additional Details:

I followed this tutorial for configuring Dependency-Track with OpenID.

Users can successfully authenticate to Dependency-Track with OpenID and as Administrator, I can confirm the user profile exists under 'OpenID Connect Users' and that they are associated with the 'OpenID Connect Group' I previously created. In addition, I can go back and confirm that 'OpenID Connect Group' is mapped to a team (I've tried Administrators and a custom defined team).

If I manually add the 'OpenID Connect User' to a team, their user profile shows their association with a team, but if I go to the 'Teams' page, that user is not listed as a member of that team.

I can manually give the 'OpenID Connect User' the same permissions as that team and those permissions are successful, in that the user can now access what I gave them permission for.

I can create a managed user and add them to a team manually without issue.

[valentijnscholten]

Can you try to enabled DEBUG loglevel and see if the group claim is actually populated? I see that the tutorial instructs you to use sAMAccountname, but I am not sure if this will work for Azure AD groups (might only work for on premise AD groups synced to Azure AD).

[kindlydodo]

i am facing the same problem. After i enabled DEBUG, in docker:

services:
  dtrack-apiserver:
    container_name: dtrack_backend
    image: dependencytrack/apiserver
    environment:
         - LOGGING_LEVEL=DEBUG
...

i found the folloging Log:

dtrack_backend      | 2022-07-05 12:53:37,381 DEBUG [OidcIdTokenAuthenticator] ID token claims: {"sub":"NbMvTTumgdkPssaazitoRRVbBJhZuvc0AR5Il55iqFE","ver":"2.0","iss":"https:\/\/login.microsoftonline.com\/kgd654er-9ffd-4rrc-9ttt1-32uuuu9f0a8b\/v2.0","groups":["kgd654er-eec7-43zz-9uub-65ii0473fa08"],"oid":"kgd654er-6fc3-47ce-ba7d-e76e63f89629","preferred_username":"[email protected]","uti":"XCk7owQRYkeADq7gEddCvv","tid":"kgd654er-9jjj-4kkk-9lll-32ez669f0a8b","aud":"kgd654er-468f-46aa-9d38-8e28f59a7b9f","nbf":1657025316,"rh":"0.ATEAubm7492dDESW0TLb5p8KddxkarSPRqpGnTiOKPWae58xAII.","name":"My User","exp":1657029216,"iat":1657025316,"email":"[email protected]"}

In Azure, i set the grops claim to be sAMAccountname, but i get the id of the group.

Workaround: Set this Group ID as the Group Name in the OpenID Connect Groups, then it works as expected

[ursweltert]

i am facing the same problem. After i enabled DEBUG, in docker:

services:
  dtrack-apiserver:
    container_name: dtrack_backend
    image: dependencytrack/apiserver
    environment:
         - LOGGING_LEVEL=DEBUG
...

i found the folloging Log:

dtrack_backend      | 2022-07-05 12:53:37,381 DEBUG [OidcIdTokenAuthenticator] ID token claims: {"sub":"NbMvTTumgdkPssaazitoRRVbBJhZuvc0AR5Il55iqFE","ver":"2.0","iss":"https:\/\/login.microsoftonline.com\/kgd654er-9ffd-4rrc-9ttt1-32uuuu9f0a8b\/v2.0","groups":["kgd654er-eec7-43zz-9uub-65ii0473fa08"],"oid":"kgd654er-6fc3-47ce-ba7d-e76e63f89629","preferred_username":"[email protected]","uti":"XCk7owQRYkeADq7gEddCvv","tid":"kgd654er-9jjj-4kkk-9lll-32ez669f0a8b","aud":"kgd654er-468f-46aa-9d38-8e28f59a7b9f","nbf":1657025316,"rh":"0.ATEAubm7492dDESW0TLb5p8KddxkarSPRqpGnTiOKPWae58xAII.","name":"My User","exp":1657029216,"iat":1657025316,"email":"[email protected]"}

In Azure, i set the grops claim to be sAMAccountname, but i get the id of the group.

Workaround: Set this Group ID as the Group Name in the OpenID Connect Groups, then it works as expected

This also works for me, get the group id (Object Id in AAD) and add a mapping to this instead of the group name, Thanks!