pgadmin not able to authenticate via OAuth2 #7839
Description
Please note that security bugs or issues should be reported to security@pgadmin.org.
Describe the bug
We have an Openshift pod running pgadmin 4 8.7 "server-mode" and the issue we're facing is that while trying to use OAuth2 for authentication, pgadmin seems to not be recognizing the upn claim, the error we get is:
172.25.54.9 - - [22/Aug/2024:15:36:50 +0000] "POST /authenticate/login HTTP/1.1" 302 959 "https://pgadmin-eu-pgtrain-test.apps.eu-dev.ocp.aws.example.com/login?next=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
2024-08-22 15:36:55,590: ERROR pgadmin: The claim 'upn' is required to login into pgAdmin. Please update your OAuth2 profile.
If we leave the OAUTH2_USERNAME_CLAIM to "None", the user is able to login correctly - the ones that have Email in their profile.
We have some accounts in Azure AD that do not have Email in their profile therefore we need the upn which is correctly set up in all account profiles 100%.
We've also tested using OAUTH2_ADDITIONAL_CLAIMS parameter, but same error is produced.
All claims have been created in the Application Token Configuration in Azure as follows:
upn - ID - Default
upn - Access - Default
To Reproduce
This is our OAuth config:
OAUTH2_CONFIG = [
{
# The name of the of the oauth provider, ex: github, google
'OAUTH2_NAME': 'Azure',
# The display name, ex: Google
'OAUTH2_DISPLAY_NAME': 'Azure AD',
# Oauth client id
'OAUTH2_CLIENT_ID': '{CLIENT_ID}',
# Oauth secret
'OAUTH2_CLIENT_SECRET': '{SECRET}',
# URL to generate a token,
# Ex: https://github.com/login/oauth/access_token
'OAUTH2_TOKEN_URL': 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token',
# URL is used for authentication,
# Ex: https://github.com/login/oauth/authorize
'OAUTH2_AUTHORIZATION_URL': 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize',
# server metadata url might optional for your provider
'OAUTH2_SERVER_METADATA_URL': 'https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration',
# Oauth base url, ex: https://api.github.com/
'OAUTH2_API_BASE_URL': 'https://graph.microsoft.com/',
# Name of the Endpoint, ex: user
'OAUTH2_USERINFO_ENDPOINT': 'oidc/userinfo',
# Oauth scope, ex: 'openid email profile'
# Note that an 'email' claim is required in the resulting profile
'OAUTH2_SCOPE': 'openid email profile User.Read',
# The claim which is used for the username. If the value is empty the
# email is used as username, but if a value is provided,
# the claim has to exist.
'OAUTH2_USERNAME_CLAIM': 'upn',
# Font-awesome icon, ex: fa-github
'OAUTH2_ICON': None,
# UI button colour, ex: #0000ff
'OAUTH2_BUTTON_COLOR': '#0000ff',
}
]
Expected behavior
The user trying to access browser (server mode) pgadmin4 should be able to log in authentincatin via OAuth2 (Azure AD)
Error message
172.25.54.9 - - [22/Aug/2024:15:36:50 +0000] "POST /authenticate/login HTTP/1.1" 302 959 "https://pgadmin-eu-pgtrain-test.apps.eu-dev.ocp.aws.example.com/login?next=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"
2024-08-22 15:36:55,590: ERROR pgadmin: The claim 'upn' is required to login into pgAdmin. Please update your OAuth2 profile.
Screenshots
Here're the permissions in Azure:
Here're the claims:
Desktop (please complete the following information):
- OS: apline (containers in Openshift)
- Version: 8.7
- Mode: Server
- Browser (if running in server mode): Edge
- Package type: Container
Additional context
I'm using helm to deploy the application.
I know there's another issue open regarding OAuth, but I cannot see it being related. I've tried to look into the oauth.py file but I can't see anything that might cause the issue, but please let me know if there's anything I missed (I'm not familiar with python) - I'm attaching the .py file as well.
oauth_pgadmin.txt
We have also decoded the payload of the token and the upn value is correctly sent, I removed all IDs and hashes just in case.
{
"aud": "{CLIENT_ID}",
"iss": "https://login.microsoftonline.com/{TENANT_ID}/v2.0",
"iat": 0123456789,
"nbf": 0123456789,
"exp": 9876543210,
"aio": "{HASHED}",
"groups": [
"{GROUP_ID}",
"{GROUP_ID}"
],
"name": "{USER}",
"nonce": "{HASHED}",
"oid": "{HASHED}",
"preferred_username": "user_without_email@example.com",
"rh": "{HASHED}.",
"sub": "{HASHED}",
"tid": "{TENANT_ID}",
"upn": "user_without_email@example.com",
"uti": "{HASHED}",
"ver": "2.0",
"userpn": "user_without_email@example.com"
}
Please let me know if you need more information.