Error during User Creation (Azure OAuth)

  • felix.cmas
    Participant
    # 2 months, 3 weeks ago

    We are currently testing the mO SAML SSO plugin to authenticate users via Azure AD.
    Currently there is an issue with the user creation.

    If i try to log in with an Azure user that does not exist in Jira, i get the following error:

    The user is not allowed to login into the application.
    MO_OAUTH_ERROR_00012

    In the SSO settings, the user creation is allowed and both the username and email of the Azure user are set and mapped in the plugin.
    Testing the connection in the plugin settings with this user works just fine.

    The debug log shows the following:

    2023-12-12 10:34:53,342+0100 http-nio-8080-exec-9 DEBUG anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.handler.UserHandler] User identity is <userPrincipalName>
    2023-12-12 10:34:53,342+0100 http-nio-8080-exec-9 DEBUG anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.handler.UserHandler] User DOES NOT exist. Creating new user.
    2023-12-12 10:34:53,342+0100 http-nio-8080-exec-9 DEBUG anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.handler.UserHandler] userEmail : <userMail>
    2023-12-12 10:34:53,342+0100 http-nio-8080-exec-9 DEBUG anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.handler.UserHandler] canCreateNewUsertrue
    2023-12-12 10:34:53,342+0100 http-nio-8080-exec-9 ERROR anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.handler.UserHandler] An Error Occurred in callback servlet for user operations 
    java.lang.NullPointerException
    	at com.miniorange.oauth.jira.handler.UserHandler.authoriseAndManageUser(UserHandler.java:452)
    	at com.miniorange.oauth.jira.servlet.OAuthJiraCallbackServlet.doGet(OAuthJiraCallbackServlet.java:271)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    	at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    	at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:49)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    	... 44 filtered
    	at com.atlassian.servicedesk.internal.web.ExternalCustomerLockoutFilter.doFilter(ExternalCustomerLockoutFilter.java:55)
    	... 8 filtered
    	at com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter.doFilter(HttpRequestMonitoringFilter.java:54)
    	... 8 filtered
    	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
    	... 48 filtered
    	at com.atlassian.oauth2.scopes.web.ReadWriteScopeFilter.doFilter(ReadWriteScopeFilter.java:46)
    	... 3 filtered
    	at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
    	... 17 filtered
    	at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
    	... 1 filtered
    	at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
    	... 16 filtered
    	at com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter.doFilter(TokenBasedAuthenticationFilter.java:82)
    	... 3 filtered
    	at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.doFilter(AccessTokenFilter.java:81)
    	... 23 filtered
    	at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
    	... 5 filtered
    	at com.idalko.tgng.jira.server.models.servicedesk.ServletRequestContextFilter.doFilter(ServletRequestContextFilter.scala:12)
    	... 3 filtered
    	at com.atlassian.plugins.authentication.impl.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:70)
    	... 3 filtered
    	at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.lambda$invokeFilterChain$0(CustomerContextSettingFilter.java:220)
    	at com.atlassian.servicedesk.internal.api.util.context.ReentrantThreadLocalBasedCodeContext.rteInvoke(ReentrantThreadLocalBasedCodeContext.java:136)
    	at com.atlassian.servicedesk.internal.api.util.context.ReentrantThreadLocalBasedCodeContext.runOutOfContext(ReentrantThreadLocalBasedCodeContext.java:89)
    	at com.atlassian.servicedesk.internal.utils.context.CustomerContextServiceImpl.runOutOfCustomerContext(CustomerContextServiceImpl.java:47)
    	at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.outOfCustomerContext(CustomerContextSettingFilter.java:211)
    	at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilterImpl(CustomerContextSettingFilter.java:139)
    	at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilter(CustomerContextSettingFilter.java:128)
    	... 9 filtered
    	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37)
    	... 3 filtered
    	at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
    	... 4 filtered
    	at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
    	... 3 filtered
    	at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
    	... 29 filtered
    	at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
    	... 25 filtered
    	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    	at java.base/java.lang.Thread.run(Unknown Source)
    2023-12-12 10:34:53,346+0100 http-nio-8080-exec-9 ERROR anonymous 634x8525x1 1m9i4e 172.30.148.1,172.30.129.127 /plugins/servlet/oauth/callback [c.m.o.jira.servlet.OAuthJiraCallbackServlet] User Response Validator returned failure, The user is not allowed to login into the application. 

    <userPrincipalName> and <userMail> were replaced by me – the original values are correct.

    We are running Jira 9.4.12 with OAuth/OpenID Connect (OIDC) for Jira SSO 2.0.9

    Is there any way to get a more detailed error description on “An Error Occurred in callback servlet for user operations”?

    Thank you!
    Felix

    • This topic was modified 2 months, 3 weeks ago by  felix.cmas.
    tanishkatandon
    Participant
    # 2 months, 3 weeks ago

    Hi There,

    Thanks for reaching out to miniOrange. I regret the inconvenience that this has caused you.

    I went through the logs that you shared and it seems that the error is occurring because some of the user details are not being fetched accurately during login and throwing a null pointer error.

    To further confirm the same and identify the root cause of the issue, I will require some details from your side.

      The plugin configurations. You can download them from the backup/restore tab of the plugin.

      As the logs that you send lack some information, kindly send the debug logs again. Enable the debug logs, reproduce the issue and then send the recorded logs. You can find the steps to record the logs inside the troubleshooting tab of the plugin.

    Rest assured, I will look into it and will get back to you with my findings as soon as possible.

    Feel free to reach out if you have any further queries or concerns. We are always there to assist.

    Looking forward to hearing from you!

    Best Regards,
    Tanishka

    felix.cmas
    Participant
    # 2 months, 2 weeks ago

    Hi Tanishka

    Thank you for your awnser!

    I was able to fix the problem by using a different user directory than “Jira Internal Directory”.
    Maybe this would be a nice addition to the plugin documentation. 🙂

    Best Regards
    Felix

    tanishkatandon
    Participant
    # 2 months, 2 weeks ago

    Hi Felix,

    Thanks for the updates.

    Glad to hear that the issue is resolved on your end.

    Could you please confirm whether you created another internal directory in Jira itself and that happened to resolve your issue of user creation?

    It would help me to get more insights into the problem that you faced!

    Also, thanks a lot for this information. We will dig into this issue and will surely update our plugin documentation accordingly.

    Have a fantastic weekend ahead! 🙂

    Best Regards,
    Tanishka

    felix.cmas
    Participant
    # 2 months, 2 weeks ago

    Hi Taniska

    Yes – i just added another internal directory – it just did not work with the default one.
    If you want me to provide any additional configuration details/logs, just let me know.

    BR Felix

    tanishkatandon
    Participant
    # 2 months, 2 weeks ago

    Hi Felix,

    Thanks for the updates.

    It would be great if you could share the following things with me as it would help me to land on the exact root cause of the issue.

    • The plugin configuration. You can download them from the backup/restore tab of the plugin.
    • The debug logs. Kindly reproduce the issue(User creation in the default Jira directory) on your end and send me the recorded logs. You can find the steps to record the logs inside the troubleshooting tab of the plugin.

    Also could you please confirm whether there were some specific permissions assigned to your default directory in Jira?

    Awaiting your response.

    Best Regards,
    Tanishka

    felix.cmas
    Participant
    # 2 months, 2 weeks ago

    Hi Tanishka

    where do you want to me send the configuration/logs? Via email?

    I can confirm that there were no specific permissions set on the default internal directory.

    BR Felix

    tanishkatandon
    Participant
    # 2 months ago

    Hi Felix,

    Wishing you a very happy new year!

    I apologise for the delay in my response as I was out of the office for a while.

    In response to your query, yes you may send the configurations as well as debug logs over email.

    Please find my email id:- tanishka.tandon@xecurify.com

    Kindly let me know if you have any further queries or concerns. We are always there to assist.

    Looking forward to hearing from you!

    Best Regards,
    Tanishka

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.