OpenID connect issue after upgrade to 22.10.4

Hi,

Commenting line 72:

$this->username = $this->provider->getUserInformation()['email'];

in /usr/share/centreon/src/Core/Security/Authentication/Infrastructure/Provider/OpenId.php solves the issue on our platform (but i don’t know there are side effects)

Hello Matoy,

The workaround is working, thanks.

Regards,

Hi @matoy and @Bochi do you use “Introspection token endpoint” or “User information endpoint” to get user data?

Can you enable debug in “Administration > Parameters > Debug”, perform an authentication, then check in /var/log/centreon/login.log and/or /var/log/php-fpm/centreon-error.log if you receive all user’s information from your IdP?

Hi @Laurent,

I confirm that after enabling debug mode for authentification we have all informations from our IDP and that we don’t use “Introspection token endpoint” and we use “User information endpoint”

Hi @jdidierpichat so the claim defined to get email address is part of the “User information endpoint”?

As a string or as an object?

@Laurent I think object, but not sure to understand the question. We have set “/userinfo” for “User information endpoint” on authentification configuration. 

If you have a string, you will have something like {….,”email”:”user@domain.com”,...}

If you have n object, you will have something like {….,”email”:[“user@domain.com”],...}

Hey @Laurent , so we have both, string for personnal information and object for mapping of AD group  

So I don’t know why Centreon can’t extract email attribute.

Can you put logs here by replacint personal attributes ? (all the JSON answer for /userinfo endpoint.

2023-09-29 14:57:12|-1|0|0|[Openid] [Debug] User Information:  {"sub":"xxxx","name":"xxxx","locale":"xx","preferred_username":"xxx@xxx.com","given_name":"xxx","family_name":"xxx","zoneinfo":"xxx","updated_at":xxx,"groups":["ABC-OKTA","DEF-OKTA"]}

Hi @jdidierpichat In this answer I can’t see “email” field but “preferred_username” look like the email address of your users.

{
    "sub": "xxxx",
    "name": "xxxx",
    "locale": "xx",
    "preferred_username": "xxx@xxx.com",
    "given_name": "xxx",
    "family_name": "xxx",
    "zoneinfo": "xxx",
    "updated_at": "xxx",
    "groups": [
        "ABC-OKTA",
        "DEF-OKTA"
    ]
}

Do you configure “preferred_username” as value for “Email attribute path” in “Auto import users” section?

Hi @Laurent Exact 

We don’t have field for email maybe because we have comment the line 72 

$this->username = $this->provider->getUserInformation()['email'];

in /usr/share/centreon/src/Core/Security/Authentication/Infrastructure/Provider/OpenId.php ? 

Ok, if you use preferred_username as login and email address, Centreon must find value for your users and you don’t have to comment line 72.