sonar-auth-aad icon indicating copy to clipboard operation
sonar-auth-aad copied to clipboard

Published 20 hours ago verified publisher icon hkamel

Migration from LDAP to AAD - name is overwritten

Open Breee opened this issue 2 years ago • 1 comments

I currently try to migrate a user from LDAP to AAD.

I've created an app registration and enterprise application in azure and connected it to sonar.

I'm using the proposed approach of sonar to migrate my user user1 and set the external identity to [email protected] and the provider to aad

curl -X POST -v  -u $SONAR_TOKEN: "https://sonar.example.com/api/users/update_identity_provider?login=user1&[email protected]&newExternalProvider=aad"

it works fine, i'm logged in as the same user as with LDAP, however there is one issue:

The name of the user is overwritten to [email protected]

sonar=# select uuid,login,name,email,external_id,external_login,external_identity_provider from users where name ~ 'user1';
         uuid         |   login   |        name         |        email        |     external_id     |   external_login    | external_identity_provider
----------------------+-----------+---------------------+---------------------+---------------------+---------------------+----------------------------
xxxxxxxx | user1 | [email protected] | [email protected] | [email protected] | [email protected] | aad

Which claim has to be set, to set the name ?

i tried to add given_name and family_name in the azure app registration under "token configuration", but that does not change the behaviour.

I'm especially confused because sonars logs say the following:

2022.04.12 10:41:13 WARN  web[AYAbhuNUiurDLZObAA5q][o.a.a.a.AadIdentityProvider] User's name not found from authentication token for user <USER_ID>
2022.04.12 10:41:14 DEBUG web[AYAbhuNUiurDLZObAA5q][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@1269c42f6 pairs: 
{GET /v1.0/<TENANT>/users/<USER_ID>/transitiveMemberOf HTTP/1.1: null}
{Authorization: <TOKEN>} [....]

but the Token <TOKEN> used to fetch groups contains the fields name, given_name and family_name ,

which should be exactly what you are looking for in https://github.com/hkamel/sonar-auth-aad/blob/6789da6b92c1a77e53d78471114cf3bcd2d3c8a9/src/main/java/org/almrangers/auth/aad/AadIdentityProvider.java#L171

Breee avatar Apr 08 '22 13:04 Breee

So actually a different token was used to extract the name of the user.

Pull Request #130 fixes this issue for me - can you take a look @srvrguy ?

Breee avatar Apr 13 '22 10:04 Breee