Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(oidc): Updating + improving docs around OIDC configuration #7141

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 45 additions & 3 deletions docs/authentication/guides/sso/configure-oidc-react.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,8 @@ AUTH_OIDC_SCOPE=your-custom-scope
AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=authentication-method
```

- `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "preferred_username" provided
as part of the standard `profile` scope.
- `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "email" provided
as part of the standard `email` scope.
- `AUTH_OIDC_USER_NAME_CLAIM_REGEX`: A regex string used for extracting the username from the userNameClaim attribute. For example, if
the userNameClaim field will contain an email address, and we want to omit the domain name suffix of the email, we can specify a custom
regex to do so. (e.g. `([^@]+)`)
Expand Down Expand Up @@ -188,4 +188,46 @@ A brief summary of the steps that occur when the user navigates to the React app
can be used to retrieve information on behalf of the authenticated user
6. DataHub fetches the authenticated user's profile and extracts a username to identify the user on DataHub (eg. urn:li:corpuser:username)
7. DataHub sets session cookies for the newly authenticated user
8. DataHub redirects the user to the homepage ("/")
8. DataHub redirects the user to the homepage ("/")

## FAQ

**No users can log in. Instead, I get redirected to the login page with an error. What do I do?**

This can occur for a variety of reasons, but most often it is due to misconfiguration of Single-Sign On, either on the DataHub
side or on the Identity Provider side.

First, verify that all values are consistent across them (e.g. the host URL where DataHub is deployed), and that no values
are misspelled (client id, client secret).

Next, verify that the scopes requested are supported by your Identity Provider
and that the claim (i.e. attribute) DataHub uses for uniquely identifying the user is supported by your Identity Provider (refer to Identity Provider OpenID Connect documentation). By default, this claim is `email`.

Then, make sure the Discovery URI you've configured (`AUTH_OIDC_DISCOVERY_URI`) is accessible where the datahub-frontend container is running. You
can do this by issuing a basic CURL to the address (**Pro-Tip**: you may also visit the address in your browser to check more specific details about your Identity Provider).

Finally, check the container logs for the `datahub-frontend` container. This should hopefully provide some additional context
around why exactly the login handoff is not working.

If all else fails, feel free to reach out to the DataHub Community on Slack for
real-time support



**I'm seeing an error in the `datahub-frontend` logs when a user tries to login**
```shell
Caused by: java.lang.RuntimeException: Failed to resolve user name claim from profile provided by Identity Provider. Missing attribute. Attribute: 'email', Regex: '(.*)', Profile: { ...
```
**what do I do?**

This indicates that your Identity Provider does not provide the claim with name 'email', which DataHub
uses by default to uniquely identify users within your organization.

To fix this, you may need to

1. Change the claim that is used as the unique user identifier to something else by changing the `AUTH_OIDC_USER_NAME_CLAIM` (e.g. to "name" or "preferred_username") _OR_
2. Change the environment variable `AUTH_OIDC_SCOPE` to include the scope required to retrieve the claim with name "email"

For the `datahub-frontend` container / pod.

**Pro-Tip**: Check the documentation for your Identity Provider to learn more about the scope claims supported.