OpenID Connect (OIDC) SSO fails with "Error when fetching data from userinfo endpoint"
プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。
この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
When trying to log into the application, we are faced with an error like this one below after being redirected from the identity provider. It is shown to the user and in the logs.
2021-11-19 15:56:34,780 http-nio-8080-exec-1 ERROR acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] Error when fetching data from userinfo endpoint. Error: {}
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Error when fetching data from userinfo endpoint. Error: {}
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.toException(OidcConsumerServlet.java:270)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUserInfoResponse(OidcConsumerServlet.java:261)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromUserInfoEndpoint(OidcConsumerServlet.java:237)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromCustomClaim(OidcConsumerServlet.java:226
診断
To troubleshoot this:
- Enable the debug package com.atlassian.plugins.authentication
- 問題を再現します。
The logs should have additional messages now:
2021-11-19 15:56:34,740 http-nio-8080-exec-1 DEBUG acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.oidc.OidcConsumerServlet] Looking for a username in ID token by checking custom claim [myclaim] 2021-11-19 15:56:34,740 http-nio-8080-exec-1 DEBUG acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.oidc.OidcConsumerServlet] Custom claim with a username in ID token not found. Request to the userinfo endpoint will be sent. 2021-11-19 15:56:34,780 http-nio-8080-exec-1 ERROR acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] Error when fetching data from userinfo endpoint. Error: {} com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Error when fetching data from userinfo endpoint. Error: {} at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.toException(OidcConsumerServlet.java:270) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUserInfoResponse(OidcConsumerServlet.java:261) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromUserInfoEndpoint(OidcConsumerServlet.java:237) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromCustomClaim(OidcConsumerServlet.java:226
原因
The messages show Jira is looking for a claim myclaim
(in this example), but couldn't find a user with the data from that claim (which is basically a field from the authentication response).
ソリューション
Configure the username mapping field in the SSO configuration to use the claim that matches the username in Jira. If in doubt, engage the Identity provider team.