Hi,
Thank you for the plugin.
We have noticed with our OIDC provider (Jumpcloud) that the plugin fails in the case of the user being in only 1 group.
We tested with 2 groups called mlflow-sso and abcd.
When a user is added into both, no problem.
When a user is only added to abcd, then the plugin iterates over the group string and creates groups a, b, c and d in DB which provokes several issues and ultimately is unusable.
The reason is as follows: in that case the jumpcloud ID token groups key contains a simple string and not a list.
Therefore, then the plugin code iterates over the string and fails.
See the content of the JWT in both cases:
{
"amr": [
"pwd",
"mfa"
],
"at_hash": "VYrtkqMLk0ASqblbtvb-FA",
"aud": [
"032df218-3723-479d-829b-d225436d94f5"
],
"auth_time": 1771948025,
"email": "<EDITED>",
"email_verified": true,
"exp": 1771951678,
"family_name": "<EDITED>",
"given_name": "<EDITED>",
"groups": "abcd",
"iat": 1771948078,
"iss": "https://oauth.id.jumpcloud.com/",
"jc_org": "634026d8813642516ecb23ba",
"jti": "9aea42f6-feca-483d-a3dd-2920baf63a9d",
"middle_name": "<EDITED>",
"name": "<EDITED>",
"nonce": "Y56OzNPq6DvCUOtCbcHZ",
"preferred_username": "<EDITED>",
"rat": 1771948003,
"sid": "873e4b66-4607-4e88-886b-a03f19e5c391",
"sub": "63bf1c13a9bcda0f36eb64e3"
}{
"amr": [
"pwd",
"mfa"
],
"at_hash": "vUQQn6KNOo9Cjxw3YZCamg",
"aud": [
"032df218-3723-479d-829b-d225436d94f5"
],
"auth_time": 1771931283,
"email": "<EDITED>",
"email_verified": true,
"exp": 1771935248,
"family_name": "<EDITED>",
"given_name": "<EDITED>",
"groups": [
"mlflow-sso",
"abcd"
],
"iat": 1771931648,
"iss": "https://oauth.id.jumpcloud.com/",
"jc_org": "634026d8813642516ecb23ba",
"jti": "4b537586-b45a-4218-a36f-fab502df0e49",
"middle_name": "<EDITED>",
"name": "<EDITED>",
"nonce": "9HzVdRi7QkgrlHx5NOOr",
"preferred_username": "<EDITED>",
"rat": 1771931282,
"sid": "2962f641-8ba0-4227-98a9-0e10c739ef43",
"sub": "63bf1c13a9bcda0f36eb64e3"
}See in particular how groups becomes a string in the 1 group case:
"groups": [
"mlflow-sso",
"abcd"
],
We were able to edit the code and fix on local by assuming that this string case must be a single group and handling the edge case as so:
routers/auth.py (line 414)
else:
user_groups = userinfo.get(config.OIDC_GROUPS_ATTRIBUTE, [])
# ... Fix
if isinstance(user_groups, str):
user_groups = [user_groups]
# ... End of fix
logger.debug(f"User groups: {user_groups}")Is this the right approach?
Can you accept a PR upstream?
.env used:
OIDC_GROUP_NAME="abcd,mlflow-sso"
OIDC_ADMIN_GROUP_NAME="abcd"
OIDC_SCOPE="openid profile email"
OIDC_PROVIDER_DISPLAY_NAME="Login with Jumpcloud"
OIDC_GROUPS_ATTRIBUTE="groups"
# Permission Configuration
DEFAULT_MLFLOW_PERMISSION="NO_PERMISSIONS"
DEFAULT_LANDING_PAGE_IS_PERMISSIONS="false"
AUTOMATIC_LOGIN_REDIRECT="false"
LOG_LEVEL="DEBUG"
PERMISSION_SOURCE_ORDER="group-regex,group,user,regex"
OIDC_DISCOVERY_URL=https://oauth.id.jumpcloud.com/.well-known/openid-configuration
OIDC_CLIENT_ID=<EDITED>
OIDC_CLIENT_SECRET=<EDITED>
OIDC_REDIRECT_URL=http://localhost:8080/callback
Hi,
Thank you for the plugin.
We have noticed with our OIDC provider (Jumpcloud) that the plugin fails in the case of the user being in only 1 group.
We tested with 2 groups called
mlflow-ssoandabcd.When a user is added into both, no problem.
When a user is only added to
abcd, then the plugin iterates over the group string and creates groupsa,b,canddin DB which provokes several issues and ultimately is unusable.The reason is as follows: in that case the jumpcloud ID token
groupskey contains a simplestringand not alist.Therefore, then the plugin code iterates over the string and fails.
See the content of the JWT in both cases:
{ "amr": [ "pwd", "mfa" ], "at_hash": "VYrtkqMLk0ASqblbtvb-FA", "aud": [ "032df218-3723-479d-829b-d225436d94f5" ], "auth_time": 1771948025, "email": "<EDITED>", "email_verified": true, "exp": 1771951678, "family_name": "<EDITED>", "given_name": "<EDITED>", "groups": "abcd", "iat": 1771948078, "iss": "https://oauth.id.jumpcloud.com/", "jc_org": "634026d8813642516ecb23ba", "jti": "9aea42f6-feca-483d-a3dd-2920baf63a9d", "middle_name": "<EDITED>", "name": "<EDITED>", "nonce": "Y56OzNPq6DvCUOtCbcHZ", "preferred_username": "<EDITED>", "rat": 1771948003, "sid": "873e4b66-4607-4e88-886b-a03f19e5c391", "sub": "63bf1c13a9bcda0f36eb64e3" }{ "amr": [ "pwd", "mfa" ], "at_hash": "vUQQn6KNOo9Cjxw3YZCamg", "aud": [ "032df218-3723-479d-829b-d225436d94f5" ], "auth_time": 1771931283, "email": "<EDITED>", "email_verified": true, "exp": 1771935248, "family_name": "<EDITED>", "given_name": "<EDITED>", "groups": [ "mlflow-sso", "abcd" ], "iat": 1771931648, "iss": "https://oauth.id.jumpcloud.com/", "jc_org": "634026d8813642516ecb23ba", "jti": "4b537586-b45a-4218-a36f-fab502df0e49", "middle_name": "<EDITED>", "name": "<EDITED>", "nonce": "9HzVdRi7QkgrlHx5NOOr", "preferred_username": "<EDITED>", "rat": 1771931282, "sid": "2962f641-8ba0-4227-98a9-0e10c739ef43", "sub": "63bf1c13a9bcda0f36eb64e3" }See in particular how groups becomes a string in the 1 group case:
We were able to edit the code and fix on local by assuming that this string case must be a single group and handling the edge case as so:
routers/auth.py(line 414)Is this the right approach?
Can you accept a PR upstream?
.envused: