Navigating to entities in production results in Access Denied page
mraible opened this issue · comments
Overview of the issue
When an app is deployed to production on Heroku, you're unable to navigate to entity screens.
Reproduce the error
Create an app with entities, deploy it to Heroku, and try to navigate to the entity screens. You'll get an access denied error.
Can you reproduce it without heroku just running normal prod profile?
I've seen this happen before when there's not `groups` claim in the ID token from Okta.
… On Aug 9, 2020, at 04:29, Frederik Hahne ***@***.***> wrote:
Can you reproduce it without heroku just running normal prod profile?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
I will have a look. Most likely tomorrow.
I looked at my Okta org and the “groups” claim appears to be correct. I think the problem is that the user is not in the ROLE_USER group. I think that’s necessary, they can’t just be in ROLE_ADMIN group. I tried to confirm this, but when I try to log in to https://micronaut-space.herokuapp.com/, I get the following error:
{"message":"Internal Server Error: Unable to sync user with idp."}
The logs on Heroku have the following stack trace:
2020-08-09T18:00:53.240185+00:00 heroku[router]: at=info method=GET path="/oauth2/authorization/oidc" host=micronaut-space.herokuapp.com request_id=8b1fe2d2-bfdf-4b67-8175-dc89b93b938b fwd="174.29.199.28" dyno=web.1 connect=1ms service=8ms status=302 bytes=733 protocol=https
2020-08-09T18:00:54.386595+00:00 heroku[router]: at=info method=GET path="/oauth2/callback/oidc?code=R2FthVC6QrZbbgDiBarS&state=eyJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vbWljcm9uYXV0LXNwYWNlLmhlcm9rdWFwcC5jb20vb2F1dGgyL2NhbGxiYWNrL29pZGMiLCJub25jZSI6ImVkNjg2NmI0LWViZTctNDYyOC05NGRmLWUwMmVjMWEzZGIyZCJ9" host=micronaut-space.herokuapp.com request_id=a338c9b7-8789-4905-98c4-18485f681722 fwd="174.29.199.28" dyno=web.1 connect=0ms service=706ms status=500 bytes=175 protocol=https
2020-08-09T18:00:54.347400+00:00 app[web.1]: 18:00:54.347 [nioEventLoopGroup-1-14] ERROR o.j.s.s.JHipsterOpenIdUserDetailsMapper - JWT Parse exception processing access token: eyJraWQiOiJQaXo1TjBiQVVuYk9SbTZ0UTFTaGhZUldUT0JUNVRGWjRweGV5X3dxMkNRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlI0anlVRlA3aFpJb1FrbWl2cXdFQWh0QnFZNXJSRGdjNjZnelRHQ2xKajAiLCJpc3MiOiJodHRwczovL2Rldi05MjQ1NjMub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTk2OTk2MDU0LCJleHAiOjE1OTY5OTk2NTQsImNpZCI6IjBvYXAyMmdyZlpPM1ZkOHY3NHg2IiwidWlkIjoiMDB1cDIwd3d2bUpIeVZnT2g0eDYiLCJzY3AiOlsib3BlbmlkIiwicHJvZmlsZSIsImVtYWlsIl0sInN1YiI6ImQxNzYyMWQ0LTMyODctNDhkMi04NjRhLTg3ZDdmZjYxM2ZiOUBoZXJva3Uub2t0YS5jb20ifQ.Zx97Sj0wJ9Nb1b_Cp2-ovYGptOA6sw4qPEYgbTh9WIGPPEZX4AuWESyzau2HCB0BNqVijz0Ym0U5HFH9L34fg1KJ3LWSQBsbar64OWKdkvAi9UwokShOfiINTUE6RrpO5Hn1sV7suA9g1kG61SkI9UEqYgmkNEx8T4qFrKoT0zuvaT2ytojxKSosenpXe-67pyg5YTLZgF03g1ebcR9RQXz3vIY1kvd16UyO_x1_BfI8OuINRp9xsa9rVHzYSoQl7SA7VDAb7JyQz2PDZy-EiJj7rPlPYqAgeN_MM0EL-W-sfayFsdFTcSMIIkPxt1ZaMmh57HdssISK5bsXlfQ8QQ
2020-08-09T18:00:54.362574+00:00 app[web.1]: 18:00:54.362 [nioEventLoopGroup-1-14] WARN o.h.h.i.ast.QueryTranslatorImpl - HHH000104: firstResult/maxResults specified with collection fetch; applying in memory!
2020-08-09T18:00:54.377510+00:00 app[web.1]: 18:00:54.376 [nioEventLoopGroup-1-14] ERROR i.m.h.s.netty.RoutingInBoundHandler - Unexpected error occurred: Unable to sync user with idp.
2020-08-09T18:00:54.377512+00:00 app[web.1]: java.lang.RuntimeException: Unable to sync user with idp.
2020-08-09T18:00:54.377513+00:00 app[web.1]: at org.jhipster.space.security.JHipsterOpenIdUserDetailsMapper.syncWithIdp(JHipsterOpenIdUserDetailsMapper.java:71)
2020-08-09T18:00:54.377514+00:00 app[web.1]: at org.jhipster.space.security.JHipsterOpenIdUserDetailsMapper.getRoles(JHipsterOpenIdUserDetailsMapper.java:100)
2020-08-09T18:00:54.377515+00:00 app[web.1]: at io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdUserDetailsMapper.createUserDetails(DefaultOpenIdUserDetailsMapper.java:80)
2020-08-09T18:00:54.377515+00:00 app[web.1]: at io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdUserDetailsMapper.createAuthenticationResponse(DefaultOpenIdUserDetailsMapper.java:88)
2020-08-09T18:00:54.377516+00:00 app[web.1]: at io.micronaut.security.oauth2.endpoint.authorization.response.DefaultOpenIdAuthorizationResponseHandler.lambda$null$0(DefaultOpenIdAuthorizationResponseHandler.java:128)
2020-08-09T18:00:54.377517+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableCreate.subscribeActual(FlowableCreate.java:71)
2020-08-09T18:00:54.377518+00:00 app[web.1]: at io.reactivex.Flowable.subscribe(Flowable.java:14935)
2020-08-09T18:00:54.377518+00:00 app[web.1]: at io.reactivex.Flowable.subscribe(Flowable.java:14882)
2020-08-09T18:00:54.377518+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedFlowable.subscribeActual(RxInstrumentedFlowable.java:57)
2020-08-09T18:00:54.377519+00:00 app[web.1]: at io.reactivex.Flowable.subscribe(Flowable.java:14935)
2020-08-09T18:00:54.377519+00:00 app[web.1]: at io.reactivex.Flowable.subscribe(Flowable.java:14882)
2020-08-09T18:00:54.377520+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableSwitchMap$SwitchMapSubscriber.onNext(FlowableSwitchMap.java:129)
2020-08-09T18:00:54.377520+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377521+00:00 app[web.1]: at io.micronaut.core.async.publisher.Publishers$1.doOnNext(Publishers.java:207)
2020-08-09T18:00:54.377521+00:00 app[web.1]: at io.micronaut.core.async.subscriber.CompletionAwareSubscriber.onNext(CompletionAwareSubscriber.java:52)
2020-08-09T18:00:54.377522+00:00 app[web.1]: at io.reactivex.internal.util.HalfSerializer.onNext(HalfSerializer.java:45)
2020-08-09T18:00:54.377523+00:00 app[web.1]: at io.reactivex.internal.subscribers.StrictSubscriber.onNext(StrictSubscriber.java:97)
2020-08-09T18:00:54.377523+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377523+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableSwitchMap$SwitchMapSubscriber.drain(FlowableSwitchMap.java:306)
2020-08-09T18:00:54.377524+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableSwitchMap$SwitchMapInnerSubscriber.onNext(FlowableSwitchMap.java:390)
2020-08-09T18:00:54.377524+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377525+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableOnErrorNext$OnErrorNextSubscriber.onNext(FlowableOnErrorNext.java:80)
2020-08-09T18:00:54.377525+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377526+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableTimeoutTimed$TimeoutSubscriber.onNext(FlowableTimeoutTimed.java:101)
2020-08-09T18:00:54.377526+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377526+00:00 app[web.1]: at io.micronaut.configuration.metrics.binder.web.WebMetricsPublisher$1.onNext(WebMetricsPublisher.java:170)
2020-08-09T18:00:54.377527+00:00 app[web.1]: at io.micronaut.configuration.metrics.binder.web.WebMetricsPublisher$1.onNext(WebMetricsPublisher.java:153)
2020-08-09T18:00:54.377527+00:00 app[web.1]: at io.micronaut.http.client.filters.ClientServerRequestTracingPublisher$1.lambda$onNext$1(ClientServerRequestTracingPublisher.java:59)
2020-08-09T18:00:54.377527+00:00 app[web.1]: at io.micronaut.http.context.ServerRequestContext.with(ServerRequestContext.java:68)
2020-08-09T18:00:54.377528+00:00 app[web.1]: at io.micronaut.http.client.filters.ClientServerRequestTracingPublisher$1.onNext(ClientServerRequestTracingPublisher.java:59)
2020-08-09T18:00:54.377528+00:00 app[web.1]: at io.micronaut.http.client.filters.ClientServerRequestTracingPublisher$1.onNext(ClientServerRequestTracingPublisher.java:51)
2020-08-09T18:00:54.377529+00:00 app[web.1]: at io.reactivex.internal.util.HalfSerializer.onNext(HalfSerializer.java:45)
2020-08-09T18:00:54.377529+00:00 app[web.1]: at io.reactivex.internal.subscribers.StrictSubscriber.onNext(StrictSubscriber.java:97)
2020-08-09T18:00:54.377529+00:00 app[web.1]: at io.micronaut.reactive.rxjava2.RxInstrumentedSubscriber.onNext(RxInstrumentedSubscriber.java:59)
2020-08-09T18:00:54.377530+00:00 app[web.1]: at io.reactivex.internal.operators.flowable.FlowableCreate$NoOverflowBaseAsyncEmitter.onNext(FlowableCreate.java:403)
2020-08-09T18:00:54.377530+00:00 app[web.1]: at io.micronaut.http.client.netty.DefaultHttpClient$11.channelRead0(DefaultHttpClient.java:2022)
2020-08-09T18:00:54.377531+00:00 app[web.1]: at io.micronaut.http.client.netty.DefaultHttpClient$11.channelRead0(DefaultHttpClient.java:1960)
2020-08-09T18:00:54.377537+00:00 app[web.1]: at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
2020-08-09T18:00:54.377538+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377538+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377538+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377539+00:00 app[web.1]: at io.micronaut.http.netty.stream.HttpStreamsHandler.channelRead(HttpStreamsHandler.java:191)
2020-08-09T18:00:54.377539+00:00 app[web.1]: at io.micronaut.http.netty.stream.HttpStreamsClientHandler.channelRead(HttpStreamsClientHandler.java:189)
2020-08-09T18:00:54.377540+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377540+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377540+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377541+00:00 app[web.1]: at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
2020-08-09T18:00:54.377541+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377542+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377542+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377542+00:00 app[web.1]: at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
2020-08-09T18:00:54.377543+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377543+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377543+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377544+00:00 app[web.1]: at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
2020-08-09T18:00:54.377544+00:00 app[web.1]: at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
2020-08-09T18:00:54.377545+00:00 app[web.1]: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
2020-08-09T18:00:54.377545+00:00 app[web.1]: at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
2020-08-09T18:00:54.377545+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377546+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377546+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377547+00:00 app[web.1]: at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
2020-08-09T18:00:54.377547+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377548+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377548+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377549+00:00 app[web.1]: at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
2020-08-09T18:00:54.377549+00:00 app[web.1]: at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
2020-08-09T18:00:54.377550+00:00 app[web.1]: at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
2020-08-09T18:00:54.377550+00:00 app[web.1]: at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
2020-08-09T18:00:54.377550+00:00 app[web.1]: at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
2020-08-09T18:00:54.377551+00:00 app[web.1]: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
2020-08-09T18:00:54.377551+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377552+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377552+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
2020-08-09T18:00:54.377552+00:00 app[web.1]: at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
2020-08-09T18:00:54.377553+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
2020-08-09T18:00:54.377558+00:00 app[web.1]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
2020-08-09T18:00:54.377559+00:00 app[web.1]: at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
2020-08-09T18:00:54.377559+00:00 app[web.1]: at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
2020-08-09T18:00:54.377560+00:00 app[web.1]: at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
2020-08-09T18:00:54.377560+00:00 app[web.1]: at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
2020-08-09T18:00:54.377560+00:00 app[web.1]: at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
2020-08-09T18:00:54.377561+00:00 app[web.1]: at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
2020-08-09T18:00:54.377561+00:00 app[web.1]: at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
2020-08-09T18:00:54.377562+00:00 app[web.1]: at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
2020-08-09T18:00:54.377562+00:00 app[web.1]: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2020-08-09T18:00:54.377563+00:00 app[web.1]: at java.base/java.lang.Thread.run(Thread.java:834)
2020-08-09T18:00:54.377563+00:00 app[web.1]: Caused by: javax.validation.ConstraintViolationException: save.entity.login: size must be between 1 and 50
2020-08-09T18:00:54.377564+00:00 app[web.1]: at io.micronaut.validation.ValidatingInterceptor.intercept(ValidatingInterceptor.java:126)
2020-08-09T18:00:54.377564+00:00 app[web.1]: at io.micronaut.aop.chain.MethodInterceptorChain.proceed(MethodInterceptorChain.java:69)
2020-08-09T18:00:54.377565+00:00 app[web.1]: at org.jhipster.space.repository.UserRepository$Intercepted.save(Unknown Source)
2020-08-09T18:00:54.377565+00:00 app[web.1]: at org.jhipster.space.service.UserService.syncUserWithIdP(UserService.java:72)
2020-08-09T18:00:54.377565+00:00 app[web.1]: at org.jhipster.space.service.$UserServiceDefinition$Intercepted.$$access0(Unknown Source)
2020-08-09T18:00:54.377566+00:00 app[web.1]: at org.jhipster.space.service.$UserServiceDefinition$Intercepted$$proxy0.invokeInternal(Unknown Source)
2020-08-09T18:00:54.377566+00:00 app[web.1]: at io.micronaut.context.AbstractExecutableMethod.invoke(AbstractExecutableMethod.java:146)
2020-08-09T18:00:54.377567+00:00 app[web.1]: at io.micronaut.aop.chain.MethodInterceptorChain.proceed(MethodInterceptorChain.java:60)
2020-08-09T18:00:54.377567+00:00 app[web.1]: at io.micronaut.transaction.interceptor.TransactionalInterceptor.intercept(TransactionalInterceptor.java:108)
2020-08-09T18:00:54.377567+00:00 app[web.1]: at io.micronaut.aop.chain.MethodInterceptorChain.proceed(MethodInterceptorChain.java:69)
2020-08-09T18:00:54.377568+00:00 app[web.1]: at org.jhipster.space.service.$UserServiceDefinition$Intercepted.syncUserWithIdP(Unknown Source)
2020-08-09T18:00:54.377568+00:00 app[web.1]: at org.jhipster.space.security.JHipsterOpenIdUserDetailsMapper.syncWithIdp(JHipsterOpenIdUserDetailsMapper.java:69)
2020-08-09T18:00:54.377569+00:00 app[web.1]: ... 86 common frames omitted
@mraible Thanks for the hint. Adding the user to both ROLE_ADMIN and ROLE_USER did the trick.