unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] resart of unity 3.9.0 drop scim schema

[Krzysztof B. <kb...@un...>]

W dniu 17.10.2022 o 07:57, Sander Apweiler pisze:
> Exporting it to the config file would not work in out setup, due the
> usage of config management software. But maybe it would work to just
> enter the path to the schema JSON files, like it is implemented for the
> translation profiles:
>
> unityServer.core.translationProfiles.input_edugain=${CONF}/modules/saml
> /tr-input-eduGAIN.json
>
Sounds good, will be added in one of subsequent patch releases of 3.11

Best,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Krzysztof B. <kb...@un...>]

W dniu 17.10.2022 o 10:28, Sander Apweiler pisze:
> Hi Krzysztof,
> goinig on with our tests, we have a problem with our OIDC service. May
> the token parsing problem also cause this error:
>
> 2022-10-17T08:24:06,004 [qtp35962870-8752] DEBUG
> unity.server.oauth.BaseOAuthResource: Retuning OAuth error response:
> invalid_request: Invalid request; wrong refresh token

It seems very likely - but to confirm, is there any stack trace in logs 
near this log entry?

Best,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Hi Krzysztof,
goinig on with our tests, we have a problem with our OIDC service. May
the token parsing problem also cause this error:

2022-10-17T08:24:06,004 [qtp35962870-8752] DEBUG
unity.server.oauth.BaseOAuthResource: Retuning OAuth error response:
invalid_request: Invalid request; wrong refresh token

Best regards,
Sander


On Fri, 2022-10-14 at 12:05 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 14.10.2022 o 10:38, Sander Apweiler pisze:
> > Hi Krzysztof,
> > we already started right now to test unity 3.11 but failed directly
> > at
> > the first user login. I got an error message about serious
> > problems,
> > see screenshot. In the log I saw that unity has some problems with
> > parsing tokens in the UI. I wanted to delete them via console
> > endpoint
> > but there I got the error "Can not parse token's JSON". See second
> > screenshot. Did I miss some migration steps?
> > 
> Unfortunately we missed, and not in 3.11 but in 3.10.
> 
> 3.11.1 will be released shortly, we are working on a fix.
> 
> Sorry for the problem,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] resart of unity 3.9.0 drop scim schema

[Sander A. <sa....@fz...>]

Hi Krzysztof,

On Fri, 2022-10-14 at 12:28 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 14.10.2022 o 09:47, Sander Apweiler pisze:
> > Hi Krzysztof,
> > by setting up the scim api in unity 3.9.0 I found a problem. Our
> > configuration is normally loaded from config files. I know this is
> > not
> > possible for the scim schema so I set up it in the console
> > endpoint.
> > For some reason one attribute was not released and I increased the
> > log.
> > Due the bug where unity stopped logging after changing the loglevel
> > I
> > restartet unity. But sadly all configured schema are gone. Is this
> > intendend? If not, may this happen on latest version as well? We
> > are
> > going to start our tests on 3.11 next week.
> 
> The situation is slightly different. If you have enabled endpoints 
> reloading from config files, then all your reconfigurations of
> endpoints 
> done at runtime in console (so in IdPs and Services) will be lost
> after 
> restart. You need to put all you configuration in files.
OK.
> 
> In case of SCIM schema it holds as well. The only problem here is
> that 
> JSON configuration of schema mappings is very complex. Instead of 
> documenting it we provided an option to export it from the console 
> (upload button next to each schema). So you can edit it in console, 
> save, and then export to a file (JSON). Contents of this file can be 
> pasted to configuration of endpoint.
OK. Yeah I know schemas could be exported but this was implemented in
the 3.9.1 release to which we did not update yet.
> 
> We should improve this workflow, however were waiting for you
> feedback. 
> The easiest thing for us would be to allow for reading the JSON from 
> file set in endpoint configuration. Then the workflow would be the
> same 
> as today, but instead of pasting JSON to your endpoint config file 
> (needs escaping, hard), it would sit on a disk. We can also consider 
> direct export to the configured file, if schama was originally loaded
> from a config file. WDYT?
We are testing the 3.11(.1) release and after exporting the schema JSON
we are going to test the upload via config file.

Exporting it to the config file would not work in out setup, due the
usage of config management software. But maybe it would work to just
enter the path to the schema JSON files, like it is implemented for the
translation profiles:

unityServer.core.translationProfiles.input_edugain=${CONF}/modules/saml
/tr-input-eduGAIN.json

Best regards,
Sander
> 
> Best,
> Krzysztof
> 
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] certificate renewal from external IdPs has issues on unity 3.9.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
yes when we are finished with testings and updated the instances, we
keep an eye on this and see if it appears again.

Best regards,
Sander

On Fri, 2022-10-14 at 12:33 +0200, Krzysztof Benedyczak wrote:
> Returning to this one:
> 
> W dniu 30.08.2022 o 10:06, Sander Apweiler pisze:
> > Good morning Krzysztof,
> > we tried with different configuration, but for some reason the
> > metadata
> > file is not updated. Even with the default update configuration it
> > is
> > not updated. It might be a bug within the refreshing part. During
> > the
> > update to unity 3.9, the configuration did not change.
> 
> We have run a ton of tests in this area when working on features
> related 
> to 3.11.0 SAML enhancements. Some smaller bugs were found and fixed, 
> however the situation you have described never happened in number of 
> different configurations.
> 
> There were also improvements in this process implemented in 3.9.1.
> Could 
> you re-verify if this problem appears also on 3.11? I have high hopes
> that this issue is gone.
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Krzysztof B. <kb...@un...>]

W dniu 14.10.2022 o 12:36, Sander Apweiler pisze:
> Hi Krzysztof,
>
> On Fri, 2022-10-14 at 12:29 +0200, Krzysztof Benedyczak wrote:
>> W dniu 14.10.2022 o 12:23, Sander Apweiler pisze:
>>> Hi Krzysztof,
>>>
>>> thanks for the swift reply. Just another question to the 3.11
>>> release.
>>> Is there a (sub) logger which I can set to INFO level about the IdP
>>> image download? EduGAIN contains a lot of image URLs which are not
>>> existing anymore.
>> Do you want to disable info about image download, filter it or
>> otherwise: enable?
> In general the info would not bother, but the long stack traces if the
> image can not be loaded let the log increase heavily. If it is the
> easiest to suppress the whole log about image load, I'm fine, too.

then set unity.server.saml.AsyncExternalLogoFileDownloader to INFO, 
should help

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Hi Krzysztof,

On Fri, 2022-10-14 at 12:29 +0200, Krzysztof Benedyczak wrote:
> W dniu 14.10.2022 o 12:23, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > thanks for the swift reply. Just another question to the 3.11
> > release.
> > Is there a (sub) logger which I can set to INFO level about the IdP
> > image download? EduGAIN contains a lot of image URLs which are not
> > existing anymore.
> 
> Do you want to disable info about image download, filter it or 
> otherwise: enable?
In general the info would not bother, but the long stack traces if the
image can not be loaded let the log increase heavily. If it is the
easiest to suppress the whole log about image load, I'm fine, too.

Best regards,
Sander
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] certificate renewal from external IdPs has issues on unity 3.9.0

[Krzysztof B. <kb...@un...>]

Returning to this one:

W dniu 30.08.2022 o 10:06, Sander Apweiler pisze:
> Good morning Krzysztof,
> we tried with different configuration, but for some reason the metadata
> file is not updated. Even with the default update configuration it is
> not updated. It might be a bug within the refreshing part. During the
> update to unity 3.9, the configuration did not change.

We have run a ton of tests in this area when working on features related 
to 3.11.0 SAML enhancements. Some smaller bugs were found and fixed, 
however the situation you have described never happened in number of 
different configurations.

There were also improvements in this process implemented in 3.9.1. Could 
you re-verify if this problem appears also on 3.11? I have high hopes 
that this issue is gone.

Best,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Krzysztof B. <kb...@un...>]

W dniu 14.10.2022 o 12:23, Sander Apweiler pisze:
> Hi Krzysztof,
>
> thanks for the swift reply. Just another question to the 3.11 release.
> Is there a (sub) logger which I can set to INFO level about the IdP
> image download? EduGAIN contains a lot of image URLs which are not
> existing anymore.

Do you want to disable info about image download, filter it or 
otherwise: enable?

Re: [Unity-idm-discuss] resart of unity 3.9.0 drop scim schema

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 14.10.2022 o 09:47, Sander Apweiler pisze:
> Hi Krzysztof,
> by setting up the scim api in unity 3.9.0 I found a problem. Our
> configuration is normally loaded from config files. I know this is not
> possible for the scim schema so I set up it in the console endpoint.
> For some reason one attribute was not released and I increased the log.
> Due the bug where unity stopped logging after changing the loglevel I
> restartet unity. But sadly all configured schema are gone. Is this
> intendend? If not, may this happen on latest version as well? We are
> going to start our tests on 3.11 next week.

The situation is slightly different. If you have enabled endpoints 
reloading from config files, then all your reconfigurations of endpoints 
done at runtime in console (so in IdPs and Services) will be lost after 
restart. You need to put all you configuration in files.

In case of SCIM schema it holds as well. The only problem here is that 
JSON configuration of schema mappings is very complex. Instead of 
documenting it we provided an option to export it from the console 
(upload button next to each schema). So you can edit it in console, 
save, and then export to a file (JSON). Contents of this file can be 
pasted to configuration of endpoint.

We should improve this workflow, however were waiting for you feedback. 
The easiest thing for us would be to allow for reading the JSON from 
file set in endpoint configuration. Then the workflow would be the same 
as today, but instead of pasting JSON to your endpoint config file 
(needs escaping, hard), it would sit on a disk. We can also consider 
direct export to the configured file, if schama was originally loaded 
from a config file. WDYT?

Best,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thanks for the swift reply. Just another question to the 3.11 release.
Is there a (sub) logger which I can set to INFO level about the IdP
image download? EduGAIN contains a lot of image URLs which are not
existing anymore.

Best regards,
Sander

On Fri, 2022-10-14 at 12:05 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 14.10.2022 o 10:38, Sander Apweiler pisze:
> > Hi Krzysztof,
> > we already started right now to test unity 3.11 but failed directly
> > at
> > the first user login. I got an error message about serious
> > problems,
> > see screenshot. In the log I saw that unity has some problems with
> > parsing tokens in the UI. I wanted to delete them via console
> > endpoint
> > but there I got the error "Can not parse token's JSON". See second
> > screenshot. Did I miss some migration steps?
> > 
> Unfortunately we missed, and not in 3.11 but in 3.10.
> 
> 3.11.1 will be released shortly, we are working on a fix.
> 
> Sorry for the problem,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 14.10.2022 o 10:38, Sander Apweiler pisze:
> Hi Krzysztof,
> we already started right now to test unity 3.11 but failed directly at
> the first user login. I got an error message about serious problems,
> see screenshot. In the log I saw that unity has some problems with
> parsing tokens in the UI. I wanted to delete them via console endpoint
> but there I got the error "Can not parse token's JSON". See second
> screenshot. Did I miss some migration steps?
>
Unfortunately we missed, and not in 3.11 but in 3.10.

3.11.1 will be released shortly, we are working on a fix.

Sorry for the problem,
Krzysztof

[Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we already started right now to test unity 3.11 but failed directly at
the first user login. I got an error message about serious problems,
see screenshot. In the log I saw that unity has some problems with
parsing tokens in the UI. I wanted to delete them via console endpoint
but there I got the error "Can not parse token's JSON". See second
screenshot. Did I miss some migration steps?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] resart of unity 3.9.0 drop scim schema

[Sander A. <sa....@fz...>]

Hi Krzysztof,
by setting up the scim api in unity 3.9.0 I found a problem. Our
configuration is normally loaded from config files. I know this is not
possible for the scim schema so I set up it in the console endpoint.
For some reason one attribute was not released and I increased the log.
Due the bug where unity stopped logging after changing the loglevel I
restartet unity. But sadly all configured schema are gone. Is this
intendend? If not, may this happen on latest version as well? We are
going to start our tests on 3.11 next week.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.11.0 release

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce availability of a new Unity release.

As always all relevant links are available at 
https://unity-idm.eu/releases/release-3-11-0/

The 3.11.0 release is a major step towards Unity 4: big changes ahead. 
All upgrades should be carefully pre-tested, after review of Unity 
3.11.0 update instruction, available in Unity manual.


        Java 17 supported & groovy update

Java 17 is officially supported runtime since this release. It will 
become mandatory when Unity turns 4.

To make it happen we had to upgrade Groovy to version 3.0.12. This means 
that Groovy 3 features can be used in Unity extension scripts. Please 
note that Groovy 3 introduces also couple of breaking changes over 
previously used Groovy 2.


        SAML related enhancements

The biggest change in SAML area is pre-fetching of federation logo 
images by Unity, and serving them from the local HTTP server, on sign-in 
pages. This change resolves many problems related to the previous 
approach where a person entering Unity sign-in page could get requests 
(and get cookies) from a number of federation IdPs. Also certificate and 
TLS related misconfigurations of IdP servers could interfere with Unity 
page loading, what won’t happen any more.

Besides of this change we have applied several smaller improvements to 
SAML federations handling:

  * Performance of the first loading of trusted SAML entities was
    significantly improved.
  * The first metadata refresh was always postponed for the metadata
    refresh interval which was effective at server start. So a decrease
    of the interval soon after server start could be made effective
    after prolonged amount of time. This problem was resolved.
  * A spurious metadata refresh that could randomly happen was
    eliminated. This situation was possible at server startup and after
    reconfiguration.


        OAuth: refresh tokens for public clients

Unity OAuth Authorization server can now issue refresh tokens for public 
clients. This feature must be enabled, and also turns on extra security 
measure: tokens rotation. In this scenario, each refresh token can be 
used only once, and each refresh is returning a new access token and a 
new refresh token.


        Upman on the latest web technology stack

This is by far the biggest change in this release, although touching the 
rarely used UpMan service. Web technology stack used by UpMan was 
upgraded from Vaadin 8 to Vaadin 23 and now is based on cutting edge web 
technologies, including web components.

The default UI look and feel was refreshed, as the underlying theme was 
changed as well. Also all UI customizations need to be prepared in a 
different, significantly simpler, form.

This change is the first step towards upgrading of all Unity web UIs, 
which will be rebased to the same technology as UpMan is using since 
this release. This bigger work will be available in the version 4 of Unity.


        Jetty 9 → 10

Jetty, our embedded HTTP server, was upgraded to the version 10. This 
change should not affect production setups, but allows us to expose new 
features in future like SNI.


        Miscellaneous improvements

  * “GN” is supported in X.500 identity as an alias to GIVENNAME.
  * Some parts of SCIM endpoint configuration can be controlled with its
    dedicated admin REST API.
  * Resending of invitations (especially expired ones) from UpMan was
    fixed and resets validity time.
  * Possible crashing of trusted applications tab loading in Home UI was
    fixed.


Best regards,
Krzysztof

Re: [Unity-idm-discuss] invitations from upman

[Sander A. <sa....@fz...>]

Hi Krzysztof,
sorry for the delay.

The project allows and uses sub-projects. There are only registration
forms and sign-up enquiries configured. Both are available by
invitation only. We do not have membership update enquiries configured.

Do you need the full forms?

Best regards,
Sander


On Thu, 2022-09-29 at 18:01 +0200, Krzysztof Benedyczak wrote:
> Sander,
> 
> A correction :-) 
> 
> W dniu 29.09.2022 o 17:18, Krzysztof Benedyczak pisze:
>  
> > Hi Sander,
> > 
> > Coming back to those issues
> > 
> > W dniu 8.09.2022 o 13:04, Sander Apweiler pisze: 
> >  
> > > If a user sends an invitation into a subgroup of a project to an
> > > collaborator who is already member of another subgroup of this
> > > project
> > > and the collaborator accepts the invitation, the collaborator is
> > > removed from the previous subgroup. I don't know if this is
> > > intended by
> > > you, but I assume most users won't expect this behaviour.
> > > Especially in
> > > large projects with many users and subgroups it might be
> > > difficult to
> > > check if the invited person is already member of another
> > > subgroup.
> > Yes, we can confirm that. 
> > 1. Why this happens? The enquiry form which is used to invite an
> > existing Unity user to a new project/group is set to be sticky.
> > Sticky forms needs to be actively launched, are never shown
> > automatically by Unity. Sticky forms also allow for modifying
> > existing state of user's account, this is in fact "edit yourself"
> > form. Non-sticky forms are collecting data which should be added to
> > existing account.
> >  
> >  Now the form called by default <SomeProject>JoinEnquiry is set to
> > be sticky as it can be enabled in HomeUI, so that users can apply
> > for membership on their own (i.e. w/o invitation). Non sticky form
> > would appear for each user entering any Unity endpoint. And as you
> > noticed this is causing edit of the account, and overwriting user's
> > groups when used in the by invitation flow.
> > 2. Workaround. *If you don't use the feature to allow users to
> > request project membership from HomeUI*, it should be possible to
> > quickly fix the problem. Just in the ...JoinEnquiry form change two
> > settings: 
> > i.e. make it non sticky and by invitation only. This will allow to
> > invite users but the groups overwriting will disappear. 
> > 3. We are thinking about a proper solution, working also in the
> > case when self-requested membership is enabled. Will keep you
> > informed. Most likely this won't make it into the next release
> > though. 
> I was just made aware by my colleague that what is above is only
> partially correct. Or better said it is correct, but after some (IMHO
> unlikely) reconfiguration of the default enquiry forms. Sorry for the
> noise!
> After joint session with my colleague, it seems that we have troubles
> reproducing this issuey. Can you please describe the scenario more
> closely? What is the setup of projects and (if used) sub projects?
> What ways to invite are used? We have run bunch of tests here and all
> were working fine. The only reproduction which we were able to have
> was in so unlikely situation that I even won't waste your time
> describing it...
> Thank you,
>  Krzysztof
>  

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] audience in token exchange

[Sander A. <sa....@fz...>]

Hi Krzysztof,
last week we had a meeting with service providers and the developers of
their service about the token exchange mechanism in unity. We had the
problem that the service did not work with unity anymore  after a
service update. The software is CERN's FTS3 (file transfer service). We
also found the problem: Using the token exchange mechanism unity
requires the audience claim, which is clearly written in the manual.
But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as
optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by
WLCG) do not require the audience claim for token exchange and CERN FTS
does also not send this. What is the reason for unity to make it
mandatory and do you see any possibilities to change this to optional?
Is it possible to use multiple audiences in the claim if unity requires
the requesting client_id to be in there? FTS needs to alter the
audience for delegation on behalf of a user.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] invitations from upman

[Krzysztof B. <kb...@un...>]

Sander,

A correction :-)

W dniu 29.09.2022 o 17:18, Krzysztof Benedyczak pisze:
> Hi Sander,
>
> Coming back to those issues
>
> W dniu 8.09.2022 o 13:04, Sander Apweiler pisze:
>> If a user sends an invitation into a subgroup of a project to an
>> collaborator who is already member of another subgroup of this project
>> and the collaborator accepts the invitation, the collaborator is
>> removed from the previous subgroup. I don't know if this is intended by
>> you, but I assume most users won't expect this behaviour. Especially in
>> large projects with many users and subgroups it might be difficult to
>> check if the invited person is already member of another subgroup.
>
> Yes, we can confirm that.
>
> 1. Why this happens? The enquiry form which is used to invite an 
> existing Unity user to a new project/group is set to be sticky. Sticky 
> forms needs to be actively launched, are never shown automatically by 
> Unity. Sticky forms also allow for modifying existing state of user's 
> account, this is in fact "edit yourself" form. Non-sticky forms are 
> collecting data which should be added to existing account.
>
> Now the form called by default <SomeProject>JoinEnquiry is set to be 
> sticky as it can be enabled in HomeUI, so that users can apply for 
> membership on their own (i.e. w/o invitation). Non sticky form would 
> appear for each user entering any Unity endpoint. And as you noticed 
> this is causing edit of the account, and overwriting user's groups 
> when used in the by invitation flow.
>
> 2. Workaround. *If you don't use the feature to allow users to request 
> project membership from HomeUI*, it should be possible to quickly fix 
> the problem. Just in the ...JoinEnquiry form change two settings:
>
> i.e. make it non sticky and by invitation only. This will allow to 
> invite users but the groups overwriting will disappear.
>
> 3. We are thinking about a proper solution, working also in the case 
> when self-requested membership is enabled. Will keep you informed. 
> Most likely this won't make it into the next release though.
>
I was just made aware by my colleague that what is above is only 
partially correct. Or better said it is correct, but after some (IMHO 
unlikely) reconfiguration of the default enquiry forms. Sorry for the noise!

After joint session with my colleague, it seems that we have troubles 
reproducing this issuey. Can you please describe the scenario more 
closely? What is the setup of projects and (if used) sub projects? What 
ways to invite are used? We have run bunch of tests here and all were 
working fine. The only reproduction which we were able to have was in so 
unlikely situation that I even won't waste your time describing it...

Thank you,
Krzysztof

Re: [Unity-idm-discuss] invitations from upman

[Krzysztof B. <kb...@un...>]

Hi Sander,

Coming back to those issues

W dniu 8.09.2022 o 13:04, Sander Apweiler pisze:
> If a user sends an invitation into a subgroup of a project to an
> collaborator who is already member of another subgroup of this project
> and the collaborator accepts the invitation, the collaborator is
> removed from the previous subgroup. I don't know if this is intended by
> you, but I assume most users won't expect this behaviour. Especially in
> large projects with many users and subgroups it might be difficult to
> check if the invited person is already member of another subgroup.

Yes, we can confirm that.

1. Why this happens? The enquiry form which is used to invite an 
existing Unity user to a new project/group is set to be sticky. Sticky 
forms needs to be actively launched, are never shown automatically by 
Unity. Sticky forms also allow for modifying existing state of user's 
account, this is in fact "edit yourself" form. Non-sticky forms are 
collecting data which should be added to existing account.

Now the form called by default <SomeProject>JoinEnquiry is set to be 
sticky as it can be enabled in HomeUI, so that users can apply for 
membership on their own (i.e. w/o invitation). Non sticky form would 
appear for each user entering any Unity endpoint. And as you noticed 
this is causing edit of the account, and overwriting user's groups when 
used in the by invitation flow.

2. Workaround. *If you don't use the feature to allow users to request 
project membership from HomeUI*, it should be possible to quickly fix 
the problem. Just in the ...JoinEnquiry form change two settings:

i.e. make it non sticky and by invitation only. This will allow to 
invite users but the groups overwriting will disappear.

3. We are thinking about a proper solution, working also in the case 
when self-requested membership is enabled. Will keep you informed. Most 
likely this won't make it into the next release though.


> The usability enhancement is about resending invitations. Resending is
> only possible if the invitation is still valid. The user asked if it
> wouldn't be possible to resend them even if they are invalid and set a
> new expiration date
>
That was fixed, will be released in 3.11, coming out soon.

Best,
Krzysztof

Re: [Unity-idm-discuss] Problem with creating "trustedApplicationTab"

[Krzysztof B. <kb...@un...>]

Hi Hubert,


W dniu 14.09.2022 o 14:16, Hubert Siejkowski pisze:
> Hi,
>
> we have recently upgraded to version 3.10.0 (from 3.8.2) and the 
> upgrade went smoothly except for the  HomeUI endpoints. If the 
> trustedApplications are enabled in the HomeUI configuration, and after 
> the user logs in a following error occurs:

After looking into it seems a gap in handling of legacy (i.e. slightly 
incomplete) data. We will fix that in the next release.

Thx for the detailed report,
Krzysztof

[Unity-idm-discuss] Problem with creating "trustedApplicationTab"

[Hubert S. <h.s...@cy...>]

Hi,

we have recently upgraded to version 3.10.0 (from 3.8.2) and the upgrade 
went smoothly except for the  HomeUI endpoints. If the 
trustedApplications are enabled in the HomeUI configuration, and after 
the user logs in a following error occurs:

An application error occurred when invoking the last operation. This 
means that either there is a mistake in the application code or a 
serious hardware problem on the service side. The error was reported to 
the staff and will be addressed as soon as possible.

and in the log file we got a message:

[UNITY user's account] [] ERROR unity.server.web.UnityUIBase: UI code 
got an unchecked and not handled properly exception: 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'trustedApplicationTab' defined in URL 
[jar:file:/opt/unity-idm/unity-server-distribution-3.10.0/lib/unity-server-user-home-3.10.0.jar!/io/imunity/home/externalApplication/TrustedApplicationTab.class]: 
Bean instantiation via constructor failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to 
instantiate [io.imunity.home.externalApplication.TrustedApplicationTab]: 
Constructor threw exception; nested exception is 
java.lang.NullPointerException

Full stack trace of the error is attached to this message.

For now we disabled the trustedApplications section in the HomeUI 
configuration and the endpoint works well.

Is this something wrong configured in our instance?

Cheers,
Hubert

Re: [Unity-idm-discuss] invitations from upman

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 8.09.2022 o 13:04, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> We got one "bug report" and one usability enhancement from users which
> I want to share with you.
>
> If a user sends an invitation into a subgroup of a project to an
> collaborator who is already member of another subgroup of this project
> and the collaborator accepts the invitation, the collaborator is
> removed from the previous subgroup. I don't know if this is intended by
> you, but I assume most users won't expect this behaviour. Especially in
> large projects with many users and subgroups it might be difficult to
> check if the invited person is already member of another subgroup.

We are currently testing bigger upman refresh, will check that issue as 
well.

> The usability enhancement is about resending invitations. Resending is
> only possible if the invitation is still valid. The user asked if it
> wouldn't be possible to resend them even if they are invalid and set a
> new expiration date
>
Should be doable, will open a ticket on that.

Best,
Krzysztof

[Unity-idm-discuss] invitations from upman

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

We got one "bug report" and one usability enhancement from users which
I want to share with you.

If a user sends an invitation into a subgroup of a project to an
collaborator who is already member of another subgroup of this project
and the collaborator accepts the invitation, the collaborator is
removed from the previous subgroup. I don't know if this is intended by
you, but I assume most users won't expect this behaviour. Especially in
large projects with many users and subgroups it might be difficult to
check if the invited person is already member of another subgroup.

The usability enhancement is about resending invitations. Resending is
only possible if the invitation is still valid. The user asked if it
wouldn't be possible to resend them even if they are invalid and set a
new expiration date

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] certificate renewal from external IdPs has issues on unity 3.9.0

[Krzysztof B. <kb...@un...>]

W dniu 30.08.2022 o 10:06, Sander Apweiler pisze:
> Good morning Krzysztof,
> we tried with different configuration, but for some reason the metadata
> file is not updated. Even with the default update configuration it is
> not updated. It might be a bug within the refreshing part. During the
> update to unity 3.9, the configuration did not change.


Thanks, we will investigate then.

Krzysztof

Re: [Unity-idm-discuss] prohibit whitespace characters for some attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 30.08.2022 o 09:12, Sander Apweiler pisze:
> Good morning Krzysztof,
> maybe you do not need a url attribute type. But parsing the input by
> the java trim function removes all whitespace in the beginning and at
> the end. This should also remove linebreak characters. This might be
> useful for all attributes. What do you think?

I'm afraid not. First of all range of use cases of string attributes is 
wide. We can not just start trimming all whitespaces, aven leading or 
trailing, may break many setups.

Feature to trim whitespaces from strings (as an optional setting in 
attribute type definition) can be considered. Anyway proper support for 
URLs is still needed. Whitespaces are one edge case, what about other 
mistakes in syntax? So I'm afraid we do need the extra type anyway.

Best,
Krzysztof



> Best regards,
> Sander
>
> On Mon, 2022-08-29 at 13:15 +0200, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 25.08.2022 o 15:13, Sander Apweiler pisze:
>>> Hi Krzystzof,
>>> after I had a longer debug session with an administrator of a
>>> service
>>> who said there where a problem in unity, I was able to show him,
>>> that
>>> he created a wrong config. He entered in the OAuth return URL a
>>> linebreak.
>>>
>>> To avoid such problems, would it make sense to prohibit whitespace
>>> characters to some attributes like return URL or email addresses? A
>>> valid value never contains whitespace character.
>> Yes, this situation unfortunately can happen. It is because we don't
>> have a dedicated attribute value type for URLs (or URIs). And so
>> OAuth
>> client's return URL is stored in a plain string attribute.
>>
>> We were talking about that few times, but never approached that as we
>> are bit afraid of the migration: it may happen that current values
>> are
>> not parsable as URL ->  what then? Anyway as this was raised also on
>> community side, not only randomly internally, I'm opening a ticket to
>> cover that: introduce URL attribute value type, with proper
>> validation,
>> and migrate all system attributes to that type. Migration details
>> TBD.
>>
>>
>> In the case of emails this problem should not exist: we have a
>> dedicated
>> type for that, so as long as verifiableEmail type is used in
>> attribute
>> intended to store email, any invalid string should not be allowed.
>>
>> Best,
>> Krzysztof
>>