OIDC integration with Ping Identity for SSO issue #12420
Labels
bug
Bug report
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
SSO integration with Ping Identity using OIDC protocol.
To Reproduce
Steps to reproduce the behavior:
Go to values.yaml file and update the below details under extraEnvs section and redeploy the datahub app.
extraEnvs:
value: "true"
value: XXXXX
value: XXXXX
value: https://<ping_id_url>/.well-known/openid-configuration
value: https://app_base_url
Once successfully deployed, please validate the application login.
Ideally, it should login without prompting for credentials.
instead, we are getting the below error in the frontend pod logs
2025-01-16 16:28:13,383 [application-akka.actor.default-dispatcher-12] ERROR controllers.SsoCallbackController - Caught exception while attempting to handle SSO callback! It's likely that SSO integration is mis-configured.
java.util.concurrent.CompletionException: org.pac4j.core.exception.TechnicalException: Unsigned ID tokens are not allowed: they must be explicitly enabled on client side and the response_type used must return no ID Token from the authorization endpoint
at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:315)
at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:320)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1770)
at play.core.j.HttpExecutionContext.$anonfun$execute$1(HttpExecutionContext.scala:64)
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:49)
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48)
at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182)
at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)
Caused by: org.pac4j.core.exception.TechnicalException: Unsigned ID tokens are not allowed: they must be explicitly enabled on client side and the response_type used must return no ID Token from the authorization endpoint
at org.pac4j.oidc.profile.creator.TokenValidator.(TokenValidator.java:62)
at org.pac4j.oidc.config.OidcConfiguration.findTokenValidator(OidcConfiguration.java:472)
at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:93)
at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:88)
at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:121)
at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:123)
at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:97)
at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:54)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1768)
... 8 common frames omitted
Expected behavior
we should be able to login to datahub application should redirect it to ping id redirection URL and once after authentication through MFA, application should be able to login without prompting for credentials.
Screenshots
Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: