Roles and other attributes are not shown in the UI despite being there #881
Description
After logging in via Keycloak to OpenUnison, on the Home tab I see:
- "USERNAME has no roles assigned"
- On the left side there's only a "Login ID" attribute. None of the other attributes (names, email address, etc) are shown
Keycloak configuration
I have a groups mapper which looks like this:
My client app adds it to Client scopes as "Default", but OpenUnison is also configured to request the groups scope (see below) just in case.
I'm testing what the generated payload looks like in Keycloak via Clients -> openunison -> Client scopes -> Evaluate.
"Generated access token", "Generated ID token" and "Generated user info" all contain something like this:
{
"sub": "...",
"email_verified": true,
"name": "Full Name",
"groups": [
"Kubernetes-Developer",
"Kubernetes-SuperAdministrator"
],
"preferred_username": "USERNAME",
"given_name": "Full",
"family_name": "Name",
"email": "[email protected]"
}OpenUnison configuration
# More stuff here..
oidc:
client_id: openunison
issuer: https://keycloak.DOMAIN/realms/REALM
user_in_idtoken: true
domain: ""
scopes: openid email profile groups
claims:
sub: preferred_username
email: email
given_name: given_name
family_name: family_name
display_name: name
groups: groups
openunison:
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
secrets: []
html:
prefix: openunison
enable_provisioning: false
az_groups: [Kubernetes-Developer, Kubernetes-SuperAdministrator]The roles seem to be obtained correctly, because it lets me see the services (Kubernetes Dashboard and Kubernetes Tokens) and az_groups is being obeyed.
kubectl auth whoami shows:
ATTRIBUTE VALUE
Username USERNAME
Groups [Kubernetes-Developer Kubernetes-SuperAdministrator system:authenticated]
Role bindings work as expected to grant access based on these groups (confirmed via Kubernetes Dashboard and kubectl).
So, the groups seem to be there somewhere, but.. It just doesn't seem like the UI shows them and the other attribute data (full name, email address, etc).
Logs
These are the logs for openunison-openunison related to logging in again with an existing user:
[2024-04-24 19:22:58,978][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - root-redirect - https://console.DOMAIN/ - uid=Anonymous,o=Tremolo - scale-redirect [10.233.64.12] - [f571634fbb597607cd03f478de157888b5cfdec59]
[2024-04-24 19:23:02,243][Thread-14] INFO K8sWatcher - Resource 14599591 already processed, skipping
[2024-04-24 19:23:03,116][Thread-10] INFO K8sWatcher - Resource 14601193 already processed, skipping
[2024-04-24 19:23:03,335][Thread-11] INFO K8sWatcher - Resource 14599469 already processed, skipping
[2024-04-24 19:23:03,440][Thread-15] INFO K8sWatcher - Resource 14600783 already processed, skipping
[2024-04-24 19:23:03,763][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [f46e76887334abe2245839a2152b13ed221868a85]
[2024-04-24 19:23:03,773][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [fe2f081bda33b3730c99c60c6e3414b920a93c56b]
[2024-04-24 19:23:03,841][Thread-8] INFO K8sWatcher - Resource 14600137 already processed, skipping
[2024-04-24 19:23:04,472][Thread-12] INFO K8sWatcher - Resource 14600506 already processed, skipping
[2024-04-24 19:23:05,031][Thread-13] INFO K8sWatcher - Resource 14600200 already processed, skipping
[2024-04-24 19:23:05,383][XNIO-1 task-2] INFO AccessLog - SRCH op=8 con=7 base='o=Tremolo' filter='(uid=USERNAME)' scope='2' attribs=''
[2024-04-24 19:23:05,404][XNIO-1 task-2] INFO AccessLog - RESULT op=8 con=7 result=0 time=21
[2024-04-24 19:23:05,404][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=8 con=7 entries=1 time=21
[2024-04-24 19:23:05,405][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=8 con=7 entries=1 time=22
[2024-04-24 19:23:05,406][XNIO-1 task-2] INFO AccessLog - SRCH op=9 con=8 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,436][XNIO-1 task-2] INFO AccessLog - RESULT op=9 con=8 result=0 time=30
[2024-04-24 19:23:05,438][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=9 con=8 entries=1 time=32
[2024-04-24 19:23:05,456][XNIO-1 task-2] INFO AccessLog - SRCH op=10 con=9 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,490][XNIO-1 task-2] INFO AccessLog - RESULT op=10 con=9 result=0 time=34
[2024-04-24 19:23:05,491][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=10 con=9 entries=1 time=34
[2024-04-24 19:23:05,495][XNIO-1 task-2] INFO AccessLog - SRCH op=11 con=10 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,538][XNIO-1 task-2] INFO AccessLog - RESULT op=11 con=10 result=0 time=43
[2024-04-24 19:23:05,546][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=11 con=10 entries=1 time=51
[2024-04-24 19:23:05,558][XNIO-1 task-2] INFO AccessLog - SRCH op=12 con=11 base='uid=USERNAME,ou=shadow,o=Tremolo' filter='(objectClass=*)' scope='0' attribs=''
[2024-04-24 19:23:05,595][XNIO-1 task-2] INFO AccessLog - RESULT op=12 con=11 result=0 time=37
[2024-04-24 19:23:05,596][XNIO-1 task-2] INFO AccessLog - SRCH-RESULT op=12 con=11 entries=1 time=38
[2024-04-24 19:23:05,626][XNIO-1 task-2] INFO OpenShiftTarget - DR Queues Size : 0
[2024-04-24 19:23:05,630][XNIO-1 task-2] INFO AccessLog - [AuSuccess] - completelogin - https://console.DOMAIN/auth/oidc - uid=USERNAME,ou=shadow,o=Tremolo - 20 / enterprise-idp [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:05,944][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - completelogin - https://console.DOMAIN/login/auth - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,261][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/ - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,648][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/bootstrap.min.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,653][XNIO-1 task-6] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/less.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,858][XNIO-1 task-6] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/angular.treeview.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,864][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/unison.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,887][XNIO-1 task-4] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/tree-control.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,889][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/calendar.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,894][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/underscore-min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,910][XNIO-1 task-7] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/font-awesome.min.css - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:06,914][XNIO-1 task-5] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/moment.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,055][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/logos/logo-mobile.png - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,067][XNIO-1 task-5] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/logos/logo-desktop.png - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,142][XNIO-1 task-5] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/css/calendar.less - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,155][XNIO-1 task-7] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/jquery.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,165][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/bootstrap.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,174][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/angular.min.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,501][XNIO-1 task-7] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/fonts/fontawesome-webfont.woff2 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,514][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/scale.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,520][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/js/angular-tree-control.js - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,867][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale-session-check - https://console.DOMAIN/scale/sessioncheck - uid=Anonymous,o=Tremolo - NONE [10.233.64.12] - [f06aca06fc5214c679fe04741e52a5ca6da021f5a]
[2024-04-24 19:23:08,885][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/templates/calendar.html - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:08,901][XNIO-1 task-7] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/config - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,218][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/user - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,220][XNIO-1 task-8] INFO AccessLog - SRCH op=13 con=12 base='o=Tremolo' filter='(uniqueMember=uid=USERNAME,ou=shadow,o=Tremolo)' scope='2' attribs='cn '
[2024-04-24 19:23:09,239][XNIO-1 task-8] WARN OpenShiftTarget - Unexpected result calling 'https://kubernetes.default.svc/apis/openunison.tremolo.io/v1/namespaces/openunison/users/null' - 404 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"users.openunison.tremolo.io \"null\" not found","reason":"NotFound","details":{"name":"null","group":"openunison.tremolo.io","kind":"users"},"code":404}
[2024-04-24 19:23:09,241][XNIO-1 task-8] INFO AccessLog - RESULT op=13 con=12 result=0 time=22
[2024-04-24 19:23:09,242][XNIO-1 task-8] INFO AccessLog - SRCH-RESULT op=13 con=12 entries=0 time=23
[2024-04-24 19:23:09,243][XNIO-1 task-8] INFO AccessLog - SRCH-RESULT op=13 con=12 entries=0 time=24
[2024-04-24 19:23:09,612][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/orgs - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,945][XNIO-1 task-8] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/workflows/org/B158BD40-0C1B-11E3-8FFD-0800200C9A66 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,958][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/urls - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:09,961][XNIO-1 task-7] INFO AccessLog - [AzSuccess] - scale - https://console.DOMAIN/scale/main/reports/org/B158BD40-0C1B-11E3-8FFD-0800200C9A66 - uid=USERNAME,ou=shadow,o=Tremolo - NONE [10.233.64.12] - [fbb5d7739c2409784a04f438555ef3c0919bafacf]
[2024-04-24 19:23:10,518][Thread-21] WARN SessionManagerImpl - Clearing 2 sessions
[2024-04-24 19:23:13,098][Thread-20] INFO K8sWatcher - Resource 14599285 already processed, skipping