Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Validation failed: Last name can't be blank" when trying to use OIDC #3049

Open
dumbasPL opened this issue Jul 21, 2024 · 1 comment
Open

"Validation failed: Last name can't be blank" when trying to use OIDC #3049

dumbasPL opened this issue Jul 21, 2024 · 1 comment
Labels
bug

Comments

@dumbasPL
Copy link

Describe the bug

I'm getting a "Validation failed: Last name can't be blank" exception when trying to use OIDC.

To Reproduce

  1. Configure your OIDC server so that it returns a name without any whitespace
  2. Try to log in using OIDC
  3. Observe crash

Expected behaviour

usernames without whitespace are supported.

Environment details

  • OS: all
  • Browser: all
  • Version: 3.3.4

Temporary workaround for people facing this issue

change the oidc.name_field option to some random value that doesn't exist, doing so will prevent the names from being updated

Additional information/context

the OIDC spec specifies the name field as End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. so we can't assume that it will be in any particular format. And even if we do, the name field is configurable via the uidc.name_field option and a user might want to use something like preferred_username instead, and that rarely will have any whitespace. The spec also includes given_name, family_name, and middle_name as part of the Standard Claims but not every provider supports them. See: https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.1

I have 10+ services configured in my OIDC provider and all of them can handle usernames just fine. Imo assuming anything about the name field is a recipe for disaster. The spec even mentions possibly including titles and suffixes, ordered according to the End-User's locale and preferences., and people all over the world can have different formats, prefixes, suffixes, middle names, etc.

problematic line:

postal/app/models/user.rb

Line 127 in da90e75

user.first_name, user.last_name = oidc_name.split(/\s+/, 2) if oidc_name.present?

trace:

[...]
/usr/local/bundle/gems/activerecord-7.0.8.1/lib/active_record/suppressor.rb:54:in `save!'
/opt/postal/app/app/models/user.rb:129:in `find_from_oidc'
/opt/postal/app/app/controllers/sessions_controller.rb:76:in `create_from_oidc'
/usr/local/bundle/gems/actionpack-7.0.8.1/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
[...]

log (details redacted with <REDACTED>):

D, [2024-07-21T17:34:00.071792 #10] DEBUG -- omniauth: (oidc) Callback phase initiated.
2024-07-21 17:34:00 +0000 DEBUG  got auth details from issuer: #<OmniAuth::AuthHash amr=#<Hashie::Array ["pwd", "pop", "hwk", "user", "pin", "mfa"]> at_hash="<REDACTED>" aud=#<Hashie::Array ["postal"]> auth_time=1719762174 azp="postal" client_id="postal" email="nezu@<REDACTED>" email_verified=true exp=1721586840 groups=#<Hashie::Array ["admin", "<REDACTED>"]> iat=1721583240 iss="https://auth.<REDACTED>" jti="<REDACTED>" name="nezu" nonce="<REDACTED>" preferred_username="nezu" sub="<REDACTED>">
2024-07-21 17:34:00 +0000 DEBUG  no user with UID <REDACTED> for issuer https://auth.<REDACTED>
2024-07-21 17:34:00 +0000 DEBUG  found user with e-mail address nezu@<REDACTED> (user ID: 1)
2024-07-21 17:34:00 +0000 ERROR  GET /auth/oidc/callback?code=<REDACTED>&iss=https%3A%2F%2Fauth.<REDACTED>&scope=openid+profile+email+groups&state=<REDACTED> (422) event=request transaction=<REDACTED> controller=SessionsController action=create_from_oidc format=html method=GET path=/auth/oidc/callback?code=<REDACTED>&iss=https%3A%2F%2Fauth.<REDACTED>&scope=openid+profile+email+groups&state=<REDACTED> request_id=<REDACTED> ip_address=<REDACTED> status=422 db_runtime=4.355344772338867 exception_class=ActiveRecord::RecordInvalid exception_message=Validation failed: Last name can't be blank exception_backtrace=/usr/local/bundle/gems/activerecord-7.0.8.1/lib/active_record/validations.rb:80:in `raise_validation_error'\n/usr/local/bundle/gems/activerecord-7.0.8.1/lib/active_record/validations.rb:53:in `save!'\n/usr/local/bundle/gems/activerecord-7.0.8.1/lib/active_record/transactions.rb:302:in `block in save!'\n/usr/local/bundle/gems/activerecord-7.0.8.1/lib/active_record/transactions.rb:354:in `block in with_transaction_returning_status'
2024-07-21 17:34:00 +0000 Rack app ("GET /auth/oidc/callbackcode=<REDACTED>&iss=https%3A%2F%2Fauth.<REDACTED>&scope=openid+profile+email+groups&state=<REDACTED>" - (<REDACTED>)): #<ActiveRecord::RecordInvalid: Validation failed: Last name can't be blank>
@willpower232
Copy link
Collaborator

Yeah definitely should deal with this.

Perhaps also if both first and last name are empty, use the email as one of them so it sort of works?

I'm also not sure how much of the UI relies on both names being present but definitely worth testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willpower232 @dumbasPL