boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

New user is auto-created or can not log in

Open timm-e opened this issue 1 year ago • 3 comments

Describe the bug I create users in Auth0 and in Boundary. If user auto-creation (OIDC primary auth method) is off, the user can not log in. If auto-creation is on, a new user/account with same "Login Name" is created.

I would expect, that existing user/account is picked if "Login Name" is the same.

To Reproduce Steps to reproduce the behavior: 0. Run auth0 users create --name "John Doe" --email [email protected] --connection-name "Username-Password-Authentication" --username doe; get ID auth0|645f24fa253a74d4ee92daa5

  1. Run boundary authenticate ...
  2. Run boundary accounts create oidc -subject 'auth0|645f24fa253a74d4ee92daa5' -issuer https://inqi.eu.auth0.com -auth-method-id amoidc_21wSkiiu82, get ID acctoidc_NqJV4zRu3H
  3. Run boundary users create -name [email protected] -description "John Doe", get ID u_TZ9JN7n1Vh
  4. Run boundary users add-accounts -account acctoidc_NqJV4zRu3H -id u_TZ9JN7n1Vh
  5. Log in as "[email protected]" via OIDC to scope global via web interface gives error `Could not authenticate Something went wrong while authenticating. Please close this window and try again. If the problem persists, notify your administrator. Copy error detail to clipboard

https://boundary.inqi.essigke.net/authentication-error?error=%7B%22kind%22%3A%22Internal%22%2C+%22message%22%3A%22authmethod_service.%28Service%29.authenticateOidcCallback%3A+Callback+validation+failed.%3A+parameter+violation%3A+error+%23100%3A+oidc.Callback%3A+iam.%28Repository%29.LookupUserWithLogin%3A+user+not+found+for+account+acctoidc_BenZ80tFEb+and+auth+method+is+not+primary+for+the+scope+so+refusing+to+auto-create+user%3A+search+issue%3A+error+%231100%22%7DThe result is the same forboundary authenticate oidc -auth-method-id amoidc_21wSkiiu82`.

  1. Enable OIDC as primary authentication method and repeat 5.
  2. Authentication is successful, new account is created with acctoidc_BenZ80tFEb and user is created with u_JFQhJiiSNY `ID: u_TZ9JN7n1Vh Version: 2 Name: [email protected] Description: John Doe Primary Account ID: acctoidc_NqJV4zRu3H Login Name: auth0|645f24fa253a74d4ee92daa5 Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts

ID: u_JFQhJiiSNY Version: 1 Primary Account ID: acctoidc_BenZ80tFEb Login Name: auth0|645f24fa253a74d4ee92daa5 Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts `

Expected behavior I expected that "Login Name" is searched and if it is found the existing user account will be used for authentication. No duplicates with the same "Login Name" should be generated.

Additional context The boundary version is v0.12.1

timm-e avatar May 13 '23 06:05 timm-e

I'm unable to reproduce this issue.

Creating user in org and assigning it an account.

boundary users create --scope-id o_1234567890
boundary accounts create oidc --auth-method-id=amoidc_rGvblYuNMK --subject "auth0|5fac37315d761a006b1566be"
boundary users set-accounts -id u_OlCtfTmMwu -account acctoidc_StrfgS4I50
❯ boundary accounts read -id acctoidc_StrfgS4I50

Account information:
  Auth Method ID:      amoidc_rGvblYuNMK
  Created Time:        Sat, 13 May 2023 06:23:34 EDT
  ID:                  acctoidc_StrfgS4I50
  Type:                oidc
  Updated Time:        Sat, 13 May 2023 06:23:34 EDT
  Version:             1

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete

  Attributes:
    issuer:            https://jimlambert.auth0.com/
    subject:           auth0|5fac37315d761a006b1566be

I did not make the auth method primary.

After successful authentication

❯ boundary accounts read -id acctoidc_StrfgS4I50

Account information:
  Auth Method ID:      amoidc_rGvblYuNMK
  Created Time:        Sat, 13 May 2023 06:23:34 EDT
  ID:                  acctoidc_StrfgS4I50
  Type:                oidc
  Updated Time:        Sat, 13 May 2023 06:25:29 EDT
  Version:             2

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete

  Attributes:
    issuer:            https://jimlambert.auth0.com/
    subject:           auth0|5fac37315d761a006b1566be
    token_claims:
    {
    "aud": "ErPjvmZZwXxIhfCxCL4xOq0bs6fPnIWC",
    "exp": 1684009529,
    "iat": 1683973529,
    "iss": "https://jimlambert.auth0.com/",
    "nonce": "C9rta8qEWUp4xvdst4Hr",
    "sid": "KOzqv8Z43V5DUOdIgzPpkXM3OLLqhzvS",
    "sub": "auth0|5fac37315d761a006b1566be"
    }
    userinfo_claims:
    {
    "sub": "auth0|5fac37315d761a006b1566be"
    }

❯ boundary version

Version information:
  Build Date:          2023-04-28T11:35:54Z
  Git Revision:        667ea285befe7af3d1ef875769e277869db7f8fd+CHANGES
  Version Number:      0.12.1

jimlambrt avatar May 13 '23 10:05 jimlambrt

FYI, boundary uses the sub from the inbound id_token to lookup existing accounts.

jimlambrt avatar May 13 '23 11:05 jimlambrt

@timm-e Is this still an issue or does the recommendation provided above was helpful ? Thanks

psekar avatar Mar 11 '24 18:03 psekar