Microsoft Azure AD as OIDC provider yields 422 error upon login
Summary
When configuring Microsoft Azure for OIDC, our documentation recommends the uid_field
as preferred_username
.
When the preferred_username
is an email address, GitLab attempts to create a temporary username, causing the configuration to throw an error (see logs below)
Relevant ticket information:
- US Federal ticket (Internal access to verified US Citizens only)
- SFDC (internal)
Steps to reproduce
- Configure Microsoft Azure for OIDC
- Attempt to use an existing user from Azure AD
- Attempt to login and see a
422
status code
Example Project
What is the current bug behavior?
GitLab generates a temporary username based on the following: auth/o_auth/auth_hash.rb#L96-119
What is the expected correct behavior?
GitLab will register the Azure AD user with the expected values from Azure AD.
Relevant logs and/or screenshots
==> /var/log/gitlab/application_json.log <==
{"severity":"INFO","time":"2022-10-27T17:43:58.294Z","correlation_id":"01GGD8P95A5V0WZP87M726KX2A","message":"(OAuth) Error saving user some.user@demo.onmicrosoft.us (temp-email-for-oauth-some.user@demo.onmicrosoft.us@gitlab.localhost): [\"Email is invalid\"]"}
Output of checks
Results of GitLab environment info
GitLab v15.4.1
Helm deployment
Possible fixes
Unsure of a fix, however, as a workaround, the customer stated as a workaround:
If I create a user manually, and associate it when the OIDC provider using the UPN, the connection is fine. If, however, I have a new user that tries to login, they get an 422 error window about the email being invalid.