-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admin user being associated/updated with OAUTH social auth providers (Azure AD, Github) #8154
Comments
I cannot reproduce this. If I log in to the API in one tab, a new tag gives me a dashboard view with the logged in API user. If I then navigate to the login page and perform an Azure AD login, it proceeds normally (whether creating a new Tower social account or reusing an existing one). If I then go back to the API page and click refresh, it shows the newly-logged-in AD user. I was not able to produce the behavior described. @lucas-benedito can you give more details on how to reproduce this, like down to exact "click on this" steps? |
@ghjm sure, I've tested with Ansible Tower 3.6.5 and 3.7.2
No other steps were required during my tests. |
Ok, I can reproduce this now. The trick is to have both browser tabs open before logging into either one of them. |
Hi. I've opened a PR to fix this issue: #8299 I've confirmed that this bug isn't specific to Azure AD. It's likely reproducible for any oauth provider. For those testing and verifying this issue, I recommend creating a github application to parametrize your social auth settings. It's simpler than azure so it's a great way to make sure you have the bug reproduction steps exactly right before trying any of the other providers:
Be aware that once you've changed a local user to a social one via this bug, you shouldn't use it for a subsequent test. Delete all of the user(s) and make new ones. |
@kdelee , let's 👁️ this next week when doing the social auth automation |
@kdelee and @tiagodread are going to take this finish verifying this as a part of the Automation Social Auth work |
In the past:
Now:
Note:
|
We will not be adding automated coverage for this if you'd like to close this out @kdelee |
After a retest like @kdelee post above this bug doesn’t happen anymore, closing this. |
ISSUE TYPE
SUMMARY
Bug found where if you connect with admin user in rest api and then proceed with Azure AD login in Ansible Tower the admin user in Ansible Tower is updated with Azure AD data after login and the admin user has the tag Social
The user in question would be a non administrative user from Azure AD that after login became the admin user and had full access to tower. This only happened when using Azure AD method but not with SAML method for the same Azure AD.
ENVIRONMENT
STEPS TO REPRODUCE
Fresh install of Ansible Tower 3.6.5 or above.
Configure Azure AD with Azure AD OAUTH2 KEY and Azure AD OAUTH2 SECRET
Login with admin user in Rest API in one tab
Login with the Azure AD in another tab
Check the logged user and user details in Users tab
EXPECTED RESULTS
New user created in tower matching Azure AD settings
ACTUAL RESULTS
Admin user updated with Azure AD user data and login performed as the admin user
ADDITIONAL INFORMATION
Tests performed in different OS versions and Ansible Tower versions 3.6.5 and 3.7.2, both had the same issue.
The text was updated successfully, but these errors were encountered: