Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server does not start if users contain unknown claims #3053

Closed
kjvalencik opened this issue Oct 3, 2019 · 0 comments
Closed

Server does not start if users contain unknown claims #3053

kjvalencik opened this issue Oct 3, 2019 · 0 comments
Labels
sso Used for single sign on related tasks.
Milestone
4.3 "Oceanside"

Comments

@kjvalencik
Copy link

kjvalencik commented Oct 3, 2019
edited
Loading

What happened:

A rule was added on an Auth0 connection to add a custom claim to tokens. An OIDC connection was used for external storage of Teleport users. Afterwards, teleport server crashed and would not start until the users were manually deleted from DynamoDB.

What you expected to happen:

Log entries about the unknown claim (possibly refuse login), but teleport server to continue to operate normally.

How to reproduce it (as minimally and precisely as possible):

Login on an OIDC connection with a custom claim. E.g, "http://example.com/permissions": "read write"

Environment:

  • Teleport version (use teleport version): 3.2.4, 3.2.13, 4.1.0
  • Tsh version (use tsh version): N/A
  • OS (e.g. from /etc/os-release): docker

Browser environment

N/A

  • Browser Version (for UI-related issues):
  • Install tools:
  • Others:

Relevant Debug Logs If Applicable

teleport-5d6647b4ff-ffrh6 teleport ERROR REPORT:
teleport-5d6647b4ff-ffrh6 teleport Original Error: *trace.BadParameterError failed to validate: https://tools;example;com/user_permissions: Additional property https://tools;example;com/user_permissions is not allowed
teleport-5d6647b4ff-ffrh6 teleport Stack Trace:
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/services/user.go:628 github.com/gravitational/teleport/lib/services.(*TeleportUserMarshaler).UnmarshalUser
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/services/local/users.go:119 github.com/gravitational/teleport/lib/services/local.(*IdentityService).GetUser
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/services/local/users.go:68 github.com/gravitational/teleport/lib/services/local.(*IdentityService).GetUsers
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:464 github.com/gravitational/teleport/lib/auth.migrateUsers
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:405 github.com/gravitational/teleport/lib/auth.migrateLegacyResources
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/auth/init.go:389 github.com/gravitational/teleport/lib/auth.Init
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/service/service.go:900 github.com/gravitational/teleport/lib/service.(*TeleportProcess).initAuthService
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/service/service.go:602 github.com/gravitational/teleport/lib/service.NewTeleport
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/e/lib/pro/process.go:41 github.com/gravitational/teleport/e/lib/pro.NewTeleport
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/e/tool/teleport/main.go:35 main.run.func1
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/lib/service/service.go:372 github.com/gravitational/teleport/lib/service.Run
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/e/tool/teleport/main.go:43 main.run
teleport-5d6647b4ff-ffrh6 teleport     /gopath/src/github.com/gravitational/teleport/e/tool/teleport/main.go:27 main.main
teleport-5d6647b4ff-ffrh6 teleport     /opt/go/src/runtime/proc.go:210 runtime.main
teleport-5d6647b4ff-ffrh6 teleport     /opt/go/src/runtime/asm_amd64.s:1334 runtime.goexit
teleport-5d6647b4ff-ffrh6 teleport User Message: failed to validate: https://tools;example;com/user_permissions: Additional property https://tools;example;com/user_permissions is not allowed, initialization failed
@klizhentas klizhentas added this to the 4.2 "Alameda" milestone Oct 3, 2019
@benarent benarent added the sso Used for single sign on related tasks. label Nov 1, 2019
klizhentas added a commit that referenced this issue Dec 10, 2019
@klizhentas
Relax restrictive traits schema, fixes #3053
9c75b83 
This commit relaxes restriction on traits names
that breaks OIDC claims using URL format or @ symbols.
russjones pushed a commit that referenced this issue Dec 10, 2019
@klizhentas @russjones
Relax restrictive traits schema, fixes #3053
94f5147 
This commit relaxes restriction on traits names
that breaks OIDC claims using URL format or @ symbols.
russjones pushed a commit that referenced this issue Dec 10, 2019
@klizhentas @russjones
Relax restrictive traits schema, fixes #3053
f4dc9b0 
This commit relaxes restriction on traits names
that breaks OIDC claims using URL format or @ symbols.
russjones pushed a commit that referenced this issue Dec 10, 2019
@klizhentas @russjones
Relax restrictive traits schema, fixes #3053
b21286c 
This commit relaxes restriction on traits names
that breaks OIDC claims using URL format or @ symbols.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sso Used for single sign on related tasks.
Projects
None yet
Milestone
4.3 "Oceanside"
Development

No branches or pull requests
4 participants
@klizhentas @benarent @kjvalencik @russjones