Problems with Login over EntraID regarding rights

Hello! So, we have the following issue. We have configured SSO with entra ID and everything is working as expected (so far). For now it was tested only with users with administration rights (to all collections). But now we are working on “real” users with limited rights to an collections and i “got stuck”.

To replicate the issue i have done following:

  1. Create an user that has Limited Access to an Collection → OK

  2. Invite the user via Invite-Link → OK

  3. At this Point the user clicks on the invite link (in a Private windows just to be sure), does his authentication, comes back to specify, is logged in and has access to the stuff that he needs to see. → OK

It looks like this:

Now comes “the bug” Part: User closes Browser. User Open a Browser (again in a Private window) user opens specify in Browser, clicks on Login with OICD (or whatever that button is named), makes authentication in EntraID, will be redirected back to specify after succesfull auth and does NOT see what he should see. I Would expect the same specify as first time. Instead he gets a json output with an error. This looks like this:

So, my first idea is that some rights are screwed or something so i doublecked everything but looks fine. So i set a password to this user to be able to login localy instead with External Identity Provider. So again, loged in “localy” and Bam, everything is working like it should.

If i give the User rights to the collection 4 (see second screenshot) then its working also with OIDC, BUT, he should not be able to do stuff in Collection “4”. He has no rights for it. So i “assume” he goes for collection 4 because its the first collection in database or something like this? All other collections have higher IDs.

So, i think i found a bug or is there any setting regarding this behavior?

Hi @dfernandez,
Just to confirm,
Could you check if there are any duplicate user entries in the “spuserexternalid” database table?
See this post for more info: SSO Authentication Issue with Duplicate User Entries in spuserexternalid Table - Get Help - Specify Community Forum

Yes, there are none, this happens if the user clicks more than once on the invitation link, i allready know this behavior, but is not the case here. There is only one with the right specifyuser_id and it matches with the id in the table specifyuser.

I just wondering where the collectionid = 4 is coming in my case.

1 Like

This is the same bug we had! Even collectionid 4 is the same! Thought it was such a weird fluke that I decided to close it, but I was also able to replicate across 2 users.

1 Like

I wonder if it is these lines that are causing it. @dfernandez, in your situation, does the user only have access to one other collection?

Hello @markp !

Yes! We have 4-5 Collections and the user is only allowed to exactly 1 Collection. We don’t use divisions at all. But its same behavior you described in the github issue.

Blockquote
I wonder if it is these lines that are causing it.

available_collections[0].id

Maybe system should check the first avaiable collection for the given user? Im really not a programmer but my first avaiable collection IS 4 just not for the given user :slight_smile:

Thank you for this, this provides evidence that it is not related to Cannot set batch of agents for collection access · Issue #2405 · specify/specify7 · GitHub. Based on the only agents we had encountered the error with being in the one isolated division, I thought this was related, but it appears not to be.

I guess this brings about two questions:

  1. What is it about the users that it is occurring with that are different than others? We have had other users that only have access to one collection be able to login through SSO just fine, so I don’t think it is the indexing ([0]) or the condition being the issue then.
  2. I’ll have to ask our two users who have experienced the error, but presumably if I were to revoke their read-only access to collectionid 4, they would be able to login? Maybe I’ll work with them today to see about that

I would also ask: Why its working the first time sending an invititation link perfectly but not a second time when user does actually a login with sso. And why it is working perfectly when same userrecord is logged in with a local password. Specify has all needed information but it looks like in “SSO Login” case is not “initialised” right.

Maybe some parameter missing in callbackurl or something? Just a idea.

Another idea: When i log in “localy”, there is a screen where i need to select the collection. This specific screen is not showing up when i do SSO login. On this screen i need to select my collection “accounts/choose_collection/?next=”

This is the notable difference in the 2 ways of login.

So I worked with one of the two users this morning, once given, the read-only access to collectionid 4 can then be revoked, and they are able to login fine through SSO. So as a workaround if this user really needed to get setup, and if its possible in the constraints of your access model, the read-only access could be given and then immediately revoked as soon as they switch back to their normal collection via the collection picking in the nav. They just need to be able to complete that route once. As I just did it this morning, time will tell if any session or cookie expiring messes things up, but I think it should be fine for them from here on out.

Your idea about the parameter seems plausible, I’ll look at the code some more today and see if I can spot anything. After working with the user above, it further supports that this bug will only present itself the second time a user logs in (with the first being the login immediately after setup). After the second time, they will end up going to the one collection they have access to just fine, which is what enables the permission to collectionid 4 to be revoked.