OIDC SSO failing for service UI

I’ve configured external authentication using OpenID Connect according to the user reference guide. While I can login and use the administrative UI without any problems, the service UI login fails with the following message:

Login failed, invalid access token. (Failed to Authenticate with JWT - error Authentication failed)

I then set :debug: to true in the advanced settings to increase log verbosity and noticed that the “X-REMOTE-USER-GROUPS” request header is empty when attempting to login to the service UI. This then leads to another error:

[…] unable to match user’s group membership to an EVM role

Does anyone have an idea how to fix this? Also let me know if I can provide additional log output or configs for troubleshooting.


Appliance Version: kasparov-1.20210203001902_15acbea
OIDC Provider: Keycloak 3.4.1.Final

Here is the section of the logs containing the error
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Api::AuthController.log_request) API Request:    {:requested_at=>"2021-03-31 09:10:11 UTC", :method=>"GET", :url=>"https://selfservice.mydomain/api/auth?requester_type=ui"}
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authenticate(username=cjlvu, options={:require_user=>true, :timeout=>30})
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- Success: MIQ(Base.audit_success) userid: [cjlvu] - User cjlvu successfully validated by External httpd
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: <AuditSuccess> MIQ(Base.audit_success) userid: [cjlvu] - User cjlvu successfully validated by External httpd
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authorize_queue(username=cjlvu, options={:require_user=>true, :timeout=>30, :authorize_only=>false})
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) user_details_from_headers(username=cjlvu)
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) External-Auth remote user request.headers:
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER            = "cjlvu"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FIRSTNAME  = "Cyrill"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-LASTNAME   = "lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FULLNAME   = "Cyrill lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FIRSTNAME  = "Cyrill"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-LASTNAME   = "lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FULLNAME   = "Cyrill lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-EMAIL      = "cyrill.lastname@mydomain"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-DOMAIN     = ""
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-GROUPS     = ""
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authorize_queue user details:
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   username     = cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   fullname     = Cyrill lastname
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   firstname    = Cyrill
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   lastname     = lastname
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   email        = cyrill.vonuslar@mydomain
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   domain       =
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   groups       =
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(MiqTask#update_status) Task: [182] [Active] [Ok] [Authorizing]
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- manageiq: MIQ(Authenticator::Httpd#authorize) Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- Failure: MIQ(Base.audit_failure) userid: [cjlvu] - Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- manageiq: <AuditFailure> MIQ(Base.audit_failure) userid: [cjlvu] - Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(MiqQueue.put) Message id: [30086],  id: [], Zone: [default], Role: [], Server: [], MiqTask id: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [MiqEvent.raise_evm_event], Timeout: [600], Priority: [100], State: [ready], Deliver On: [], Data: [], Args: [["MiqServer", 1], "login_failed", {:event=>"authorize", :userid=>"cjlvu", :message=>"Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role"}]
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- Success: MIQ(Base.audit_success) userid: [cjlvu] - Authentication successful for user cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: <AuditSuccess> MIQ(Base.audit_success) userid: [cjlvu] - Authentication successful for user cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: ERROR -- manageiq: MIQ(Api::AuthController.rescue in require_api_user_or_token) AuthenticationError: Failed to Authenticate with JWT - error Authentication failed
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Api::AuthController.log_request) Response:       {:completed_at=>"2021-03-31 09:10:11 UTC", :size=>"0.174 KBytes", :time_taken=>"0.108 Seconds", :status=>401}
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: Filter chain halted as :require_api_user_or_token rendered or redirected
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: Completed 401 Unauthorized in 109ms (Views: 0.1ms | ActiveRecord: 62.6ms)

I’m still looking for a solution to this issue and would appreciate any pointers. Thx!

I’ve followed by the book the doc and had the same error.

To solve this, I had to change, at least, the “Add to access token” flag to ON in the groups mappers :

Name Consent Required Mapper Type Token Claim Name Full group path Add to ID token Add to access token Add to userinfo
groups OFF Group Membership groups OFF ON ON ON

As you can see, I’ve also activate the “Add to userinfo” flag. But I’m not sure it’s necessary.

Regards,

1 Like

That fixed it for me, thank you so much!