Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login: nicer CERN SSO login behaviour when access is denied due to lesser LOA role #514

Open
tiborsimko opened this issue Jul 6, 2022 · 1 comment
Open

login: nicer CERN SSO login behaviour when access is denied due to lesser LOA role #514

tiborsimko opened this issue Jul 6, 2022 · 1 comment
Labels
community/eoscfuture priority/longterm

Comments

@tiborsimko
Copy link
Member

Current behaviour

When using CERN SSO, when a user authenticates successfully using Keycloak, but his role is not amongst the ones required by the REANA application, the login succeeds but the user is then redirected to the page saying "Bad gateway".

(Example: we require CERN users or eduGAIN users, but the user authenticates via GitHub social accounts, which is of lesser Level of Assurance (LOA).)

This is because internally we get a reana-server rest-api container traceback of the form:

[2022-07-06 14:59:37,034] WARNING in cern_openid: User roles None are not one of ['cern_user', 'edugain_user']
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/invenio_oauthclient/contrib/cern_openid.py", line 313, in account_info_rest
    return _account_info(remote, resp)
  File "/usr/local/lib/python3.8/site-packages/invenio_oauthclient/contrib/cern_openid.py", line 276, in _account_info
    raise OAuthCERNRejectedAccountError(
invenio_oauthclient.errors.OAuthCERNRejectedAccountError: ("User roles None are not one of ['cern_user', 'edugain_user']", <flask_oauthlib.client.OAuthRemoteApp object at 0x7f8d6a9e7490>, ...

...

   raise OAuthCERNRejectedAccountError(
invenio_oauthclient.errors.OAuthCERNRejectedAccountError: ("User roles None are not one of ['cern_user', 'edugain_user']", <flask_oauthlib.client.OAuthRemoteApp object at 0x7f8d6a9e7490>,

...

  File "/usr/local/lib/python3.8/site-packages/blinker/base.py", line 266, in send
    return [(receiver, receiver(sender, **kwargs))
  File "/usr/local/lib/python3.8/site-packages/blinker/base.py", line 266, in <listcomp>
    return [(receiver, receiver(sender, **kwargs))
  File "/code/./reana_server/utils.py", line 291, in _create_and_associate_oauth_user
    user_email = account_info["user"]["email"]
TypeError: 'Response' object is not subscriptable

i.e. the exception is not well handled.

Expected behaviour

The user should see a page saying something like

Sorry, you are not authorised to use `reana.cern.ch`.
If you think this is a mistake, please contact _REANA administrators_ .

with a mailto link how to contact humans.
@tiborsimko
Copy link
Member Author

Note: this is observed only when multiple rules are being set up at the OIDC Keycloak application rule side. Since it's not going to be the default way of deployment, this issue can sleep for much later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community/eoscfuture priority/longterm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tiborsimko