Handling of groups from an OIDC provider
Affected version
Version: 2.18.1
Platform: nginx+uwsgi
Summary
When using an OIDC provider as Auth + UserDB, I couldn't get groups to work. In my case, the OIDC provider is also a Lemonldap::NG instance. I've configured a "groups" claim containing a list of groups on the provider. This claim is correctly sent in the UserInfo endpoint. The "salve" Lemonldap::NG instance sees it, but just set the groups session keys as a stringified version of the array of groups. $hGroups remains empty, and groups are not usable.
Logs
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Request User Info on https://primary.local/oauth2/userinfo with access token XXXXXXX
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] UserInfo received: {"mail":"dani@local","cn":"Daniel Berteaud","groups":["Role_Unix","Role_Dev","Role_DB_Viewer","Administrators","Role_DB_Admin","Role_GED","Role_Mail","Role_Support_Admin","Role_PKI_User","Role_Infra_Admin","Denied RODC Password Replication Group","Domain Admins","Role_Vault","Role_Visio","Role_VPN","Role_FW_Admin","Role_Audit","Equipe","Role_Seafile","Role_PKI_Admin","Role_Monitoring","IT","Role_Support_User","Role_Virt","Role_CT_Admin","Role_Matrix"],"principal":"dani@local","uid":"dani","sub":"dani"}
[...]
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 1704448287 in session key _lastAuthnUTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store HASH(0x65f8a60) in session key _loginHistory
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = {'successLogin' => [{'ipAddr' => '10.99.20.2','_utime' => '1704448211'},{'ipAddr' => '10.99.20.2','_utime' => '1704448149'},{'ipAddr' => '10.99.20.2','error' => -4,'_utime' => '1704443859'},{'ipAddr' => '10.99.20.2','_utime' => '1704443859'},{'_utime' => '1704443073','error' => -4,'ipAddr' => '10.99.20.2'},{'ipAddr' => '10.99.20.2','_utime' => '1704443073'},{'_utime' => '1704442587','ipAddr' => '10.99.20.2','error' => -4},{'ipAddr' => '10.99.20.2','_utime' => '1704442587'},{'ipAddr' => '10.99.20.2','_utime' => '1704378084'},{'ipAddr' => '10.99.20.2','_utime' => '1704377346'}],'failedLogin' => []};
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store ARRAY(0x6390dd0) in session key groups
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = ['Role_Unix','Role_Dev','Role_DB_Viewer','Administrators','Role_DB_Admin','Role_GED','Role_Mail','Role_Support_Admin','Role_PKI_User','Role_Infra_Admin','Denied RODC Password Replication Group','Domain Admins','Role_Vault','Role_Visio','Role_VPN','Role_FW_Admin','Role_Audit','Equipe','Role_Seafile','Role_PKI_Admin','Role_Monitoring','IT','Role_Support_User','Role_Virt','Role_CT_Admin','Role_Matrix'];
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 20240105105011 in session key _updateTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store dani in session key _user
Screenshot of the resulting session on the slave Lemonldap::NG
Backends used
Primary (OIDC RP) Lemonldap::NG is running
- On almalinux 8
- With nginx (OpenResty) + llng-fastcgi-server
- Using AD (samba4) as AuthDB and UserDB
- Using MariaDB as configuration and session store
Slave Lemonldap::NG is running
- On almalinux 9 (Docker based on almalinux9)
- With nginx + uwsgi
- Using OIDC as AuthDB and Same as UserDB
- An OIDC provider has been configured pointing at the primary LL::NG portal