You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IntegrityError at /authcallback
duplicate key value violates unique constraint "token_service_user_user_name_key"
DETAIL: Key (user_name)=([email protected]) already exists.
This is due to get_user trying to match an accepted auth callback to a user using sub and provider, not finding one, and then trying to create a new user object for it. However if a user has authenticated the same account name with a different provider, this second attempt will fail.
Need time to explore whether there is any security vulnerability in expanding the User uniqueness tuple from (sub, provider) to (sub, provider, user_name) and removing the individual column uniqueness constraint on user_name.
The Auth0 broker passes through the same sub for a given user_name as is used in the IDP backend itself. Example scenario after expanding the uniqueness tuple to incorporate user_name, which is currently disallowed:
The other concern is how this would impact services relying on tokens, as the two users would technically have a different set of tokens attached to them. In addition, queries for token based on sub+provider need to be careful to disambiguate, and possibly require that the whole provider information (auth0|globus) is sent in the request, rather than just auth0. Or possibly facilitate this startswith matching behavior by allowing a "compound": true value set in config.json on that provider. If the provider is not compound, then the entire provider string must match on token requests.
The text was updated successfully, but these errors were encountered:
Example:
This is due to
get_usertrying to match an accepted auth callback to a user usingsubandprovider, not finding one, and then trying to create a new user object for it. However if a user has authenticated the same account name with a different provider, this second attempt will fail.Need time to explore whether there is any security vulnerability in expanding the User uniqueness tuple from
(sub, provider)to(sub, provider, user_name)and removing the individual column uniqueness constraint onuser_name.The Auth0 broker passes through the same
subfor a givenuser_nameas is used in the IDP backend itself. Example scenario after expanding the uniqueness tuple to incorporateuser_name, which is currently disallowed:The other concern is how this would impact services relying on tokens, as the two users would technically have a different set of tokens attached to them. In addition, queries for token based on
sub+providerneed to be careful to disambiguate, and possibly require that the whole provider information (auth0|globus) is sent in the request, rather than justauth0. Or possibly facilitate this startswith matching behavior by allowing a"compound": truevalue set in config.json on that provider. If the provider is not compound, then the entire provider string must match on token requests.The text was updated successfully, but these errors were encountered: