Roles and other attributes are not shown in the UI despite being there #881

spantaleev · 2024-04-24T19:27:27Z

After logging in via Keycloak to OpenUnison, on the Home tab I see:

"USERNAME has no roles assigned"
On the left side there's only a "Login ID" attribute. None of the other attributes (names, email address, etc) are shown

Keycloak configuration

I have a groups mapper which looks like this:

My client app adds it to Client scopes as "Default", but OpenUnison is also configured to request the groups scope (see below) just in case.

I'm testing what the generated payload looks like in Keycloak via Clients -> openunison -> Client scopes -> Evaluate.
"Generated access token", "Generated ID token" and "Generated user info" all contain something like this:

{
  "sub": "...",
  "email_verified": true,
  "name": "Full Name",
  "groups": [
    "Kubernetes-Developer",
    "Kubernetes-SuperAdministrator"
  ],
  "preferred_username": "USERNAME",
  "given_name": "Full",
  "family_name": "Name",
  "email": "email@example.com"
}

OpenUnison configuration

# More stuff here..

oidc:
  client_id: openunison
  issuer: https://keycloak.DOMAIN/realms/REALM
  user_in_idtoken: true
  domain: ""
  scopes: openid email profile groups
  claims:
    sub: preferred_username
    email: email
    given_name: given_name
    family_name: family_name
    display_name: name
    groups: groups

openunison:
  replicas: 1
  non_secret_data:
    K8S_DB_SSO: oidc
    PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
  secrets: []
  html:
    prefix: openunison
  enable_provisioning: false
  az_groups: [Kubernetes-Developer, Kubernetes-SuperAdministrator]

The roles seem to be obtained correctly, because it lets me see the services (Kubernetes Dashboard and Kubernetes Tokens) and az_groups is being obeyed.

kubectl auth whoami shows:

ATTRIBUTE   VALUE
Username    USERNAME
Groups      [Kubernetes-Developer Kubernetes-SuperAdministrator system:authenticated]

Role bindings work as expected to grant access based on these groups (confirmed via Kubernetes Dashboard and kubectl).

So, the groups seem to be there somewhere, but.. It just doesn't seem like the UI shows them and the other attribute data (full name, email address, etc).

Logs

These are the logs for openunison-openunison related to logging in again with an existing user:

[2024-04-24 19:22:58,978][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - root-redirect - https://console.DOMAIN/ - uid=Anonymous,o=Tremolo - scale-redirect [10.233.64.12] - [f571634fbb597607cd03f478de157888b5cfdec59]
[2024-04-24 19:23:02,243][Thread-14] INFO  K8sWatcher - Resource 14599591 already processed, skipping
[2024-04-24 19:23:03,116][Thread-10] INFO  K8sWatcher - Resource 14601193 already processed, skipping
[2024-04-24 19:23:03,335][Thread-11] INFO  K8sWatcher - Resource 14599469 already processed, skipping
[2024-04-24 19:23:03,440][Thread-15] INFO  K8sWatcher - Resource 14600783 already processed, skipping
[2024-04-24 19:23:03,763][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [f46e76887334abe2245839a2152b13ed221868a85]
[2024-04-24 19:23:03,773][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [fe2f081bda33b3730c99c60c6e3414b920a93c56b]
[2024-04-24 19:23:03,841][Thread-8] INFO  K8sWatcher - Resource 14600137 already processed, skipping
[2024-04-24 19:23:04,472][Thread-12] INFO  K8sWatcher - Resource 14600506 already processed, skipping
[2024-04-24 19:23:05,031][Thread-13] INFO  K8sWatcher - Resource 14600200 already processed, skipping
[2024-04-24 19:23:05,383][XNIO-1 task-2] INFO  AccessLog - SRCH op=8 con=7 base='o=Tremolo' filter='(uid=USERNAME)' scope='2' attribs=''
[2024-04-24 19:23:05,404][XNIO-1 task-2] INFO  AccessLog - RESULT op=8 con=7 result=0 time=21
[2024-04-24 19:23:05,404][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=8 con=7 entries=1 time=21
[2024-04-24 19:23:05,405][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=8 con=7 entries=1 time=22
[2024-04-24 19:23:05,406][XNIO-1 task-2] INFO  AccessLog - SRCH op=9 con=8 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,436][XNIO-1 task-2] INFO  AccessLog - RESULT op=9 con=8 result=0 time=30
[2024-04-24 19:23:05,438][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=9 con=8 entries=1 time=32
[2024-04-24 19:23:05,456][XNIO-1 task-2] INFO  AccessLog - SRCH op=10 con=9 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,490][XNIO-1 task-2] INFO  AccessLog - RESULT op=10 con=9 result=0 time=34
[2024-04-24 19:23:05,491][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=10 con=9 entries=1 time=34
[2024-04-24 19:23:05,495][XNIO-1 task-2] INFO  AccessLog - SRCH op=11 con=10 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,538][XNIO-1 task-2] INFO  AccessLog - RESULT op=11 con=10 result=0 time=43
[2024-04-24 19:23:05,546][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=11 con=10 entries=1 time=51
[2024-04-24 19:23:05,558][XNIO-1 task-2] INFO  AccessLog - SRCH op=12 con=11 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,595][XNIO-1 task-2] INFO  AccessLog - RESULT op=12 con=11 result=0 time=37
[2024-04-24 19:23:05,596][XNIO-1 task-2] INFO  AccessLog - SRCH-RESULT op=12 con=11 entries=1 time=38
[2024-04-24 19:23:05,626][XNIO-1 task-2] INFO  OpenShiftTarget - DR Queues Size : 0
[2024-04-24 19:23:05,630][XNIO-1 task-2] INFO  AccessLog - [AuSuccess] - completelogin - https://console.DOMAIN/auth/oidc - uid=USERNAME,ou=shadow,o=Tremolo - 20 / enterprise-idp [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:05,944][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - completelogin - https://console.DOMAIN/login/auth - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,261][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/ - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,648][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/bootstrap.min.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,653][XNIO-1 task-6] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/less.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,858][XNIO-1 task-6] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/angular.treeview.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,864][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/unison.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,887][XNIO-1 task-4] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/tree-control.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,889][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/calendar.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,894][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/underscore-min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,910][XNIO-1 task-7] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/font-awesome.min.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,914][XNIO-1 task-5] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/moment.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,055][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/logos/logo-mobile.png - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,067][XNIO-1 task-5] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/logos/logo-desktop.png - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,142][XNIO-1 task-5] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/calendar.less - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,155][XNIO-1 task-7] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/jquery.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,165][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/bootstrap.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,174][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/angular.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,501][XNIO-1 task-7] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/fonts/fontawesome-webfont.woff2 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,514][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/scale.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,520][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/angular-tree-control.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,867][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale-session-check - https://console.DOMAIN/scale/sessioncheck - uid=Anonymous,o=Tremolo - NONE [10.233.64.12] - [f06aca06fc5214c679fe04741e52a5ca6da021f5a]
[2024-04-24 19:23:08,885][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/templates/calendar.html - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,901][XNIO-1 task-7] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/config - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,218][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/user - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,220][XNIO-1 task-8] INFO  AccessLog - SRCH op=13 con=12 base='o=Tremolo' filter='(uniqueMember=uid=USERNAME,ou=shadow,o=Tremolo)' scope='2' attribs='cn '
[2024-04-24 19:23:09,239][XNIO-1 task-8] WARN  OpenShiftTarget - Unexpected result calling 'https://kubernetes.default.svc/apis/openunison.tremolo.io/v1/namespaces/openunison/users/null' - 404 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"users.openunison.tremolo.io \"null\" not found","reason":"NotFound","details":{"name":"null","group":"openunison.tremolo.io","kind":"users"},"code":404}

[2024-04-24 19:23:09,241][XNIO-1 task-8] INFO  AccessLog - RESULT op=13 con=12 result=0 time=22
[2024-04-24 19:23:09,242][XNIO-1 task-8] INFO  AccessLog - SRCH-RESULT op=13 con=12 entries=0 time=23
[2024-04-24 19:23:09,243][XNIO-1 task-8] INFO  AccessLog - SRCH-RESULT op=13 con=12 entries=0 time=24
[2024-04-24 19:23:09,612][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/orgs - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,945][XNIO-1 task-8] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/workflows/org/B158BD40-0C1B-11E3-8FFD-0800200C9A66 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,958][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/urls - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,961][XNIO-1 task-7] INFO  AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/reports/org/B158BD40-0C1B-11E3-8FFD-0800200C9A66 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:10,518][Thread-21] WARN  SessionManagerImpl - Clearing 2 sessions
[2024-04-24 19:23:13,098][Thread-20] INFO  K8sWatcher - Resource 14599285 already processed, skipping

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Roles and other attributes are not shown in the UI despite being there #881

Roles and other attributes are not shown in the UI despite being there #881

spantaleev commented Apr 24, 2024

Roles and other attributes are not shown in the UI despite being there #881

Roles and other attributes are not shown in the UI despite being there #881

Comments

spantaleev commented Apr 24, 2024

Keycloak configuration

OpenUnison configuration

Logs