harbor: Enabling OIDC causes all robot accounts to generate error: failed to verify secret, username: robot$gitlab, error: failed to get oidc user info, error: no row
It appears when OIDC is enabled the auth goes through OIDC even if the account is a robot account with no OIDC. This causes the logs to be inundated with this error message:
2021-07-02T14:55:11Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="a2af154dd57eca5e5a05a8ac4012a311"]: failed to verify secret, username: robot$gitlab, error: failed to get oidc user info, error: <QuerySeter> no row
Since robot accounts cannot even be linked to OIDC accounts is there some sort of way to stop these log messages and errors?
I am using v2.3.0. OIDC settings are:
OIDC Provider Name : azuread
OIDC Endpoint: https://login.microsoftonline.com/CENSORED/v2.0
OIDC Client ID: CENSORED
OIDC Client Secret: CENSORED
Group Claim Name: groups
OIDC Admin Group: CENSORED
OIDC Scope: openid,email,profile,offline_access
Verify Certificate: On
Automatic Onboarding: On
Username Claim: email
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 23
- Comments: 61 (2 by maintainers)
Commits related to this issue
- Skip robot account for oidc_cli middleware Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to stonezdj/harbor by deleted user a year ago
- Skip robot account for oidc_cli middleware Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to stonezdj/harbor by deleted user a year ago
- Skip robot account for oidc_cli middleware Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to stonezdj/harbor by deleted user a year ago
- Skip robot account for oidc_cli middleware Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to stonezdj/harbor by deleted user a year ago
- Skip robot account for oidc_cli middleware Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to stonezdj/harbor by deleted user a year ago
- Skip robot account for oidc_cli middleware (#18317) Fixes #15253 Signed-off-by: stonezdj <daojunz@vmware.com> — committed to goharbor/harbor by stonezdj a year ago
This fix will be included in v2.8.0
Harbor 2.9.1 We also see errors for the admin user:
So is the fix available in version 2.7.1? Because I’m still having this issue in my latest helm install :<
seeing the same for 2.3.3 offline-standalone installation, with oidc enabled, none of robot users would work.
So more digging this error could be solved by adding a check to this method to return nil if the username prefix is the same as the robot prefix:
2021-08-24T11:15:42Z [ERROR] [/server/middleware/security/oidc_cli.go:62][requestID="f7b12e7636f6e9fd320dd6e4ac518d77"]: failed to verify secret, username: ROBOTACCOUNT, error: failed to get oidc user info, error: <QuerySeter> no row foundThis would eliminate one of the big error logs we see.
Ya this is what is most frustrating. It works most of the time but then randomly fails with the header issue.
On Mon, 5 Jul 2021, 22:14 Maurice Faber, @.***> wrote: