Migrate local users to oauth/oidc

vqui · December 21, 2022, 12:35am

Hi,

I am trying to migrate users from local auth database to keycloak using oauth/oidc.

My config looks like this:

ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True
OAUTH_PROVIDER_DOMAIN = 'seatable.example.com'
OAUTH_CLIENT_ID = "super-duper-not-secret"
OAUTH_CLIENT_SECRET = "super-duper-secret"
OAUTH_REDIRECT_URL = 'https://seatable.example.com/oauth/callback/'
OAUTH_AUTHORIZATION_URL = 'https://keycloak.example.com/realms/master/protocol/openid-connect/auth'
OAUTH_TOKEN_URL         = 'https://keycloak.example.com/realms/master/protocol/openid-connect/token'
OAUTH_USER_INFO_URL     = 'https://keycloak.example.com/realms/master/protocol/openid-connect/userinfo'
OAUTH_SCOPE = ["profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "preferred_username": "uid",
    "name": "name",
    "email": "contact_email",
}

There are two issues I am facing.

OAUTH_ENABLE_INSECURE_TRANSPORT has to be set to True. When using False I receive the following log message:

[ERROR] seahub.oauth.views:145 oauth_callback (insecure_transport) OAuth 2 MUST utilize https.

That doesn’t make any sense to me since everything is https and using valid certs.

I have to fill uid with something valid. If left out, I receive the following log message:

2022-12-20 23:57:40,645 [ERROR] django.request:230 log_response Internal Server Error: /oauth/callback/
Traceback (most recent call last):
  File "/opt/seatable/seatable-server-latest/dtable-web/thirdpart/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/opt/seatable/seatable-server-latest/dtable-web/thirdpart/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/seatable/seatable-server-latest/dtable-web/seahub/oauth/views.py", line 82, in _decorated
    return func(request)
  File "/opt/seatable/seatable-server-latest/dtable-web/seahub/oauth/views.py", line 158, in oauth_callback
    uid = oauth_user_info['uid']
KeyError: 'uid'

If I put something in it that might make sense like preferred_username I get the following error:

django.db.utils.IntegrityError: (1062, "Duplicate entry 'myemail@example.com' for key 'profile_profile_contact_email_0975e4bf_uniq'")

That make sense since the email is already taken.

Questions:
a: What can I map to uid to avoid creating a new user with a duplicate email address?
b: Can I create a new user and migrate (merge) the old one?

I am using the enterprise version 3.3.7.

vqui · December 22, 2022, 12:13pm

Fixed it myself.

To whom it may concern:

When looking through the database I noticed the table dtable_db.social_auth_usersocialauth with data from the oidc login.
I removed the duplicate user from the frontend and the data disappeared. I created it manually then with the actual data of my user. I can login using oidc SSO now. All I have to do is create a row for all my users.

insert into social_auth_usersocialauth (username, provider, uid, extra_data) VALUES ("uuid-from-user-in-seatable@auth.local", "domain-of-oidc-endpoint", "oidc-username", "");

Maybe you can still improve the mapping of the user for future user who don’t dare to access the db.

system · December 24, 2022, 12:14pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

cdb · April 29, 2023, 9:08am

Just for reference: there is a new section in the admin manual for “authentication in SeaTable”:
https://manual.seatable.io/authentication/auth_overview/