Red Hat SummitChapter 8. Troubleshoot authentication issues
Learn how to troubleshoot common authentication issues.
8.1. Reduce the size of issued tokens
If user identity tokens grow large and cause HTTP errors, you can use the omitIdentityTokenOwnershipClaim flag to remove the ent claim from the JWT payload and reduce token size.
Procedure
In the
app-config.yamlfile, setomitIdentityTokenOwnershipClaimtotrueas follows:auth: omitIdentityTokenOwnershipClaim: true
8.2. Troubleshoot unexpected session expiration
If sessions expire sooner than expected, check the following settings. The mechanism with the shortest timeout takes effect first.
Procedure
- Check the Identity Provider (IdP) session timeout: the IdP might have a shorter session lifetime than Developer Hub.
-
Check the
sessionDurationparameter for your authentication provider. -
Check the AutoLogout
idleTimeoutMinutessetting, if auto-logout is enabled.
8.3. Troubleshoot missing session expiration warning
If users receive no warning before their session expires, auto-logout might not be enabled. Without auto-logout, sessions expire silently based on sessionDuration or IdP settings.
Procedure
-
To enable pre-expiration warnings, configure the
auth.autologoutsettings in yourapp-config.yamlfile.
8.4. Troubleshoot missing login redirect after session expiration
If users are not redirected to the login page after their session expires, verify the following.
Procedure
- Verify that your Developer Hub version includes the upstream session expiration fix.
-
Verify that your authentication provider is correctly configured with valid
metadataUrl,clientId, andclientSecretsettings.
8.5. Troubleshoot login failed errors
When a user cannot sign in to Developer Hub, the sign-in page displays a "Login failed" error message. The following sections describe common login errors and their solutions.
8.5.1. Login failed: unable to resolve user identity
Login failed; caused by Error: Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver.This error indicates that the user signing in does not match a user entity in the Developer Hub software catalog.
To resolve this issue:
Check that the corresponding catalog provider plugin is set up correctly and is successfully syncing users and groups into the catalog.
In the backend logs, look for a successful synchronization message such as:
catalog info Read 114 GitHub users and 22 GitHub groups in 3.4 seconds. Committing... catalog info Committed 114 GitHub users and 22 GitHub groups in 0.0 seconds.- If users and groups have been ingested into the catalog, verify that the sign-in resolver used (default or configured) matches the correct user attributes.
- Optionally, use guest login to look into the user entity in the catalog and verify the attributes.
8.5.2. Login failed: provider not configured to support sign-in
Login failed; caused by Error: The <providerId> provider is not configured to support sign-in.
This error indicates that the authentication provider has disableIdentityResolution set to true, meaning it is configured as an auxiliary provider, not for primary sign-in.
To resolve this issue:
-
In your
app-config.yamlfile, ensure thatdisableIdentityResolutionis not set totruefor your primary sign-in authentication provider.
8.5.3. Login failed: user profile does not contain an email
Login failed, user profile does not contain an emailThis error indicates that the authentication client does not have permission to read the user’s email from the identity provider.
To resolve this issue:
- Grant the necessary email-reading permissions to the authentication client in the identity provider.
-
Or, use a sign-in resolver that does not rely on email, such as
preferredUsernameMatchingUserEntityNameinstead ofemailMatchingUserEntityProfileEmail.
8.6. Troubleshoot catalog provider errors
Catalog provider plugins can fail to ingest users and groups into the Developer Hub software catalog. The following sections describe common catalog provider errors visible in the backend logs and their solutions.
8.6.1. LDAP: Malformed entity envelope
LdapOrgEntityProvider:default refresh failed, TypeError: Malformed entity envelope, TypeError: /metadata/name must NOT have fewer than 1 characters - limit: 1
This error occurs when a user being ingested from LDAP has no value for the name field, which is mapped to the uid LDAP attribute by default.
To resolve this issue:
Add a filter to the LDAP users configuration to exclude users without a
uid:catalog: providers: ldapOrg: default: users: - dn: OU=Users,DC=example,DC=com options: filter: (uid=*)For more information about LDAP user filters, see Enable user provisioning with LDAP.
8.6.2. GitHub: API rate limit exceeded
GithubMultiOrgEntityProvider:default refresh failed, HttpError: API rate limit exceededThis error occurs when Developer Hub makes unauthenticated API calls to GitHub, which are limited to 60 requests per hour. Authenticated requests using a GitHub App get up to 5,000 requests per hour.
To resolve this issue:
-
Verify that the
integrations.githubsection is configured in yourapp-config.yamlfile with valid GitHub App credentials. For more information, see Import users and groups from GitHub.
8.6.3. GitLab: API rate limit exceeded
This error occurs when Developer Hub makes unauthenticated API calls to GitLab, which are subject to rate limits.
To resolve this issue:
-
Verify that the
integrations.gitlabsection is configured in yourapp-config.yamlfile with a valid GitLab personal access token. For more information, see Import users and groups from GitLab.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}