concourse: Failed to authenticate: missing "username" claim with concourse 6.7.3
Summary
Hi concourse team
We updated our concourse from version 6.6.0 to 6.7.3 but after that, we are unable to login with our SSO. We are using Onelogin as a provider with the oidc connector. When we try to log in through Onelogin we get the message:
Failed to authenticate: missing “username” claim
Our Oidc configuration worked so far like this (with some injected parameters):
--oidc-client-id="$${ONELOGIN_CLIENT_ID}" \ --oidc-client-secret="$${ONELOGIN_CLIENT_SECRET}" \ --oidc-scope="groups" \ --main-team-oidc-group=${onelogin_team} \ --oidc-issuer=${onelogin_issuer} \ --oidc-display-name=${onelogin_display_name}
Currently we rolled back to version 6.7.2 which seems to work without any issue.
We are aware that for version 6.7.3 an breaking change was announced. However we miss some insights about how to mitigate it.
Thank you very much looking into this. It would help us a lot.
Steps to reproduce
- Use Onelogin as SSO provider with the OIDC Connector (version 2)
- try to login
Expected results
Login should work.
Actual results
Login does not work with OIDC, getting the message: Failed to authenticate: missing “username” claim
Additional context
Please ask if you need more.
Triaging info
- Concourse version: 6.7.3
- Browser (if applicable): Firefox 84.0.1 / latest Chrome
- Did this used to work? Yes, it also works with 6.7.2
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 1
- Comments: 15 (7 by maintainers)
Edit: We were able to fix it by
@rikkuness no concourse doesn’t provide a way to config the
insecureSkipEmailVerified.However in your case you can config
--oidc-scopeto excludeemailscope to bypass the check (noted it might cause your IDP to not return email claim anymore).