ocis: rc.1 external OIDC+LDAP setup, error on new user first login

Describe the bug

I’m testing rc.1 with external OIDC+LDAP setup, when a new user try to login, /ocs/v1.php/cloud/user returned 500 error.

proxy service error log:

2022-11-13T13:51:24Z ERR Could not add default role error="{\"id\":\"ocis-settings\",\"code\":403,\"detail\":\"user has no role management permission\",\"status\":\"Forbidden\"}" service=proxy
2022-11-13T13:51:24Z ERR Could not get user by claim error="{\"id\":\"ocis-settings\",\"code\":403,\"detail\":\"user has no role management permission\",\"status\":\"Forbidden\"}" service=proxy

Seems like a bug, user shouldn’t need a role management permission to be assigned the default role.

(The one user set in the helm chart adminUUID option can login as the admin role)

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 1
Comments: 29 (22 by maintainers)

Commits related to this issue

Allow initial self-assignemnt of UserRole When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. ... — committed to rhafer/ocis by rhafer 2 years ago
Allow initial self-assignemnt of UserRole When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. ... — committed to rhafer/ocis by rhafer 2 years ago
Allow initial self-assignemnt of UserRole When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. ... — committed to rhafer/ocis by rhafer 2 years ago
Allow initial self-assignemnt of UserRole When using an external user management we need to allow users to self-assign the default role. This adds an explicit check for that to the settings service. ... — committed to rhafer/ocis by rhafer 2 years ago

Most upvoted comments

Found it:

curl 'https://ocis.ocis-ldap.latest.owncloud.works/graph/v1.0/users/4c510ada-c86b-4815-8820-42cdf82c3d51' \
  -X 'PATCH' \
  -H 'authority: ocis.ocis-ldap.latest.owncloud.works' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'authorization: Bearer eyJhbGciOiJQUzI1NiIsImtpZCI6InByaXZhdGUta2V5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJ3ZWIiLCJleHAiOjE2NjkxMjAxMzIsImp0aSI6InNxMzdVbEhZUm1pTGJiRGdENV9seDJNQjdKSFR4Q1lGIiwiaWF0IjoxNjY5MDMzNzMyLCJpc3MiOiJodHRwczovL29jaXMub2Npcy1sZGFwLmxhdGVzdC5vd25jbG91ZC53b3JrcyIsInN1YiI6InpEUUxQRnlWU3BfWW1Zb1RAOHk1Wk5makZld3NnRGp1OXIxZFBCTDJhQl9QWmF2X0hzd19XV1c4U0w4OFpSbjljcXJBOUtMdmpPXy1EeVdiTTFuRHh6QSIsImxnLnQiOiIxIiwic2NwIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJsZy5pIjp7ImRuIjoiQWRtaW4iLCJpZCI6InVpZD1hZG1pbixvdT11c2VycyxkYz1vd25jbG91ZCxkYz1jb20iLCJ1biI6ImFkbWluIn0sImxnLnAiOiJpZGVudGlmaWVyLWxkYXAifQ.TdrxcoerB_fCcvcglOrezsKKy_zcnB3-ZxT3Qb2Jh2lCzbcZ6YMj37BlOVC5iNpnB5MIuGa9lfzgoiaQ405q-5ge9StwxZ3cyi9PGq9dR804OndaRoS8FGMbAuse02Y6g-lGHMnneRooBZvytxJ1GmCn6iCX-r4k6Q1uyo6rFTIntQ7FupHWzMXM6ena2mDkw_g5iq1_tUT1LFHUT3PE6g6XxRNYTrsp-DLrbG7g2OO9Q4VGwrzPJCPCKEKp5KYP3tcKQbutGEX2TlHL1m0oE9MYndP6krVbGgNQ3D042RvYik3BC-lpv6WlX--XmRdP9kMf0vzbxy6ZRWfpvV5AT-M0xHXLWjfTlj8BvKFKrBci-gV5mhvjTT_fNpdXjemSQWVwDvwQ1hkjh12kB56Ec3Zp3e44q9VKpwdhWgdEF1BQHQMX3AVU4wrIl3oLb-d_amQYkCo9UBdicGvU4HnjK_zQKLzRC_tlWAVGT5l46CUcy0g-VGqUYtzvNxe1Xf10LUbOfR-s73ubUZf45Z98MxRuDlqsNNUFG3nrwbe2u1sOzKffOZEC1KM6guEAOia_tE02rz7vv8RWj1734lHTOBBrsVSXsGSpwbDVjnkBWrBz8mLTnnlr5dVUcN22SyyDjO9Pt9yQmpOtc4PRdRjQn2sEQdg9uru0JB4Cuh7iTs0' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'origin: https://ocis.ocis-ldap.latest.owncloud.works' \
  -H 'referer: https://ocis.ocis-ldap.latest.owncloud.works/user-management/users' \
  -H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
  -H 'x-request-id: 2b0c3c33-46db-4635-9ead-83990c3a49fa' \
  -H 'x-requested-with: XMLHttpRequest' \
  --data-raw '{"displayName":"Albert Einstein","id":"4c510ada-c86b-4815-8820-42cdf82c3d51","mail":"einstein@example.org","onPremisesSamAccountName":"einstein","memberOf":[],"passwordProfile":{"password":""}}' \
  --compressed

This is weird. Why do we use the GraphAPI for Role Assignments? @kulmann @JanAckermann I thought we need to use the settings API for that purpose

micbar on Nov 21, 2022

Should be, yes. Needs re testing in the next qa cycle.

micbar on Nov 21, 2022