This issue has been created
 
 
OpenId Connect / cid:jira-generated-image-avatar-16165155-c47b-4f38-96ec-bcba1ff242fa OIDC-179 Open

Cannot login when the user is a member of too many groups

 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-ad9095a0-2404-41de-837b-70a5e46dd78c Daniel Beland created this issue on 04/Jun/24 20:39
 
Summary: Cannot login when the user is a member of too many groups
Issue Type: cid:jira-generated-image-avatar-16165155-c47b-4f38-96ec-bcba1ff242fa Bug
Affects Versions: 2.8.7
Assignee: Unassigned
Created: 04/Jun/24 20:39
Priority: cid:jira-generated-image-static-major-c9fb7627-cb55-49eb-bf47-e596cd4ccc4c Major
Reporter: Daniel Beland
Description:

We use Keycloak as our OIDC provider and to retrieve the user's groups we enable the standard Keycloak scope "microprofile-jwt".

 

All was fine until a few users couldn't login and had the following error:

org.xwiki.contrib.oidc.provider.internal.OIDCException: Failed to get user info:null
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.getUserInfo(OIDCUserManager.java:194)
	org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:242)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108)
	org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
	org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
	org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) 

We narrowed down the problem to the user being a member of too many groups (around 200), which are included in the access token. I suspect the number of groups itself is not the real problem, but that the token is persisted and the field is not big enough to accomodate the value.

 

The work-around has been to create our own scope in Keycloak to include the user's groups only on the user info token, which is enough to enable group mapping with XWiki groups.