Problems with Login over EntraID regarding rights

Get Help
12

Specify version: 7.9.6.2

Some further updates on this:

  1. The error is propagating. Currently, I cannot determine a pattern of what is causing certain users to experience the collectionid 4 error while others are not, but we are up to 7.

I mention the below because the affected user was one of those 7, however at this time it is uncertain if connected. There may be three factors in play, (all linked by some common cause?), issue #5323, issue #5326, and the new information from below, not yet a GitHub issue.

  1. For the first time today, a user experienced an unlinking of their specifyuser_id with the spuserexternalid. On the login screen, they received the unknownOicUser message. Their name and details from the {providerName:string} were loaded correctly. The time since they last logged in was one week. This timing could be important because the remedial actions taken for SSO Authentication Issue with Duplicate User Entries in spuserexternalid Table - #3 by markp were performed 7 days ago, but on a different user, so cause and effect there is murky. As other users are able to sign in, it seems unlikely that is the cause at this time.

To complete a login, the user needed to use the local authentication (user/pass), which is a problem, because after transitioning to SSO (in our case, but probably in the case of others) the users will no longer know their password, they will be set to some strong random value. This means for any further users that experience this, they won’t be able to login until I can reset their password for them.

My first step was to look in the database to see if there were any issues with the specifyuser_id field in the spuserexternalid table. There is a record for this user like any other. and it points to the correct specifyuser_id. However, after today, now there are two records for this user in the specifyexternalid table, which will presumably trigger #5362 on their next login.

I have setup a development environment of specify with a freshly created dummy database, building from the source code (currently using the 7.9.6.2 tag). I am going to see if I can replicate any of this in a consistent way through a test keycloak instance. I believe that the only file that needs to be looked at is specify7/specifyweb/accounts/views.py at production · specify/specify7 · GitHub, and will start there.