https://www.gooddata.com/ logo
Join Slack
Powered by
Hello All, Did something change with GoodData's au...
# gooddata-cloud
s
Hello All, Did something change with GoodData's authentication protocols?
We have not changed our authentication provider, but are now getting a new scope issue/error with our instance and its impacting all of our domains (we have 4)
i
Hi Steve, Sorry to hear about your troubles, but I am not aware of such change on our end. Could you be so kind and share some error or traceId with me, please? (Feel free to use a DM, if it works better for you).
b
Hi Steve, I am investigating, just a question in the meantime, which OIDC IdP are you using?
s
IdentityServer4
👍 1
b
Steve, the situation is following - we indeed made some small changes today to our OIDC implementation as part of preparation for JIT provisioning. We tested it against the standard OIDC IdPs and implementations, but it seems to have broken something in yours related to scopes. Which is strange, because any changes needed to be explicitly enabled in the organization config. GoodData operates with following scopes: 
openid, profile, email, offline_access
As per your OIDC config file <issuer_url>/.well-known/openid-configuration your IdP supports all of these. But it's possible that the 
email
scope was added with this change. It could mean that it's not included in the client you use for gooddata and the solution could be as simple as adding it. Also, you might be able to find more in your OIDC logs with request id 
400182f8-0000-d300-b63f-84710c7967bb
. We are still looking into it, but if this cannot be resolved soon, we will consider reverting the changes.
s
"AllowedScopes": [ "openid", "profile", "name", "offline_access" ],
b
yes, so it seems that it's indeed missing email.
are you able to just simply add it?
s
I can try, though I cannot guarantee its being passed
🤞 1
b
sure, I guess we'll find out right away ....
s
looks like that might be the issue
b
I can see that your DEV environment now redirects correctly, so I guess it works
s
yeah, guess i'm glad tahts the fix
b
Really sorry for the caused inconvenience Steve
s
just makes me real nervous as this is not the first time something like this has caused us issues
also that wasn't included as a release, correct?
or was this part of last weeks gooddata cloud release
b
it wasn't, it was just a partial change of the bigger implementation,
however the deployed code had a small bug.... it passed all the tests as the major IdPs didn't have any issue with it.... But your concerns are very valid and I will open an internal discussion about improving the process
s
Luckily we're doing a release tonight where we can address this, but 100% not a great experience.
i
We are really sorry for your troubles here and we will try our best to avoid similar situations in future.
s
I mean I understand and am glad it was easy to fix and not a customer impact.
A release is a release though, so would hope that even the smallest impact would send notifications of updates
Open in Slack
PreviousNext
Powered by