dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Cannot delete OpenID Connect users

Open DrakezulsMinimalism opened this issue 1 year ago • 1 comments

Current Behavior

  1. When browsing "OpenID Connect Users" in the admin interface, deleting a user is not possible, as a 500 status code is returned. image
  2. Backend logs report a NPE:

java.lang.NullPointerException: Cannot invoke "alpine.model.OidcUser.getUsername()" because "jsonUser" is null at org.dependencytrack.resources.v1.UserResource.deleteOidcUser(UserResource.java:580)

Steps to Reproduce

  1. Deployment via docker with
    • OpenIDC Teams Claim = groups, OIDC User Provisioning = true and OIDC Team Synchronization = true
    • Azure Tenant
  2. See current behavior for steps until error is encountered.

Tested with 4.9.1 and 4.10.1. Also, while upgrading from an older version to a new one (not sure if it was 4.9.x -> 4.10.1 or 4.8.x -> 4.9.x) a non-admin SQL account was used without the ability to manipulate the database schema, therefore the deployment has to be temporarily restarted with an admin account.

Expected Behavior

Deleting and removing any user, permission or team without issues.

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

Microsoft SQL Server

Database Server Version

12.0

Browser

Microsoft Edge

Checklist

DrakezulsMinimalism avatar May 03 '24 12:05 DrakezulsMinimalism

I believe it's closely related, so I'm not opening multiple issues: Can also not remove permissions (see screenshot above) of OpenIDC Users AND cannot delete (normal/dependency track) Teams.

DrakezulsMinimalism avatar May 03 '24 12:05 DrakezulsMinimalism

Dear future readers, after replying the SQL upgrade logic WITHOUT solving it, I ended up looking at the APIs some more and found that the "DELETE" requests I've triggered are using HTTP bodys. This reminded me that I had a similar problem with a completely different application in the past, related to a Web Application Firewall (WAF) deployed in front of the service. It's silently dropping the body and thus, requests arriving at the backend are missing the UUID or username used by the API for DELETE processing.

DrakezulsMinimalism avatar May 10 '24 12:05 DrakezulsMinimalism

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Jun 15 '24 10:06 github-actions[bot]