Regression in Seafile Pro 11 SSO,

Seafile Server
1

After upgrading to Seafile Pro 11, the SSO via OAuth with an internal SSO no longer works. I get a red error message asking to contact the administrator. I followed the recommendations for the small modification of the OAUTH_ATTRIBUTE_MAP but I encounter an error:

June 25 01:04:37 seafile.xxx.xx python3[1794236]: 2024-06-25 01:04:37,557 [ERROR] seahub.oauth.views:166 oauth_callback {'name': 'xxx', 'preferred_username': 'xxxx', 'family_name': 'xxx', 'sub': 'email@xxx.xx>
June 25 01:04:37 seafile.xxx.xx python3[1794236]: 2024-06-25 01:04:37,557 [ERROR] seahub.oauth.views:165 oauth_callback Required user attr not found.
June 25 01:04:37 seafile.xxx.xx python3[1794236]: 2024-06-25 01:04:37,557 [DEBUG] urllib3.connectionpool:549 _make_request https://auth.xxx.xx:443 "GET /

I have done several tests with the OAUTH_ATTRIBUTE_MAP, the latest being:

OAUTH_ATTRIBUTE_MAP = {
    "sub": (True, "email"),
    "uid": (True, "uid"),
    "email": (True, "contact_email"),
    "preferred_username": (False, "name"),
}

I do not understand what no longer works compared to version 10.

Best regards

2

Hi, in seafile 11.0 we have added the uid as the external unique identifier of the user.
According to the error info of json from SSO, the keys are “name”, “preferred_username”, “family_name”, “sub”. And the required attribute in OAUTH_ATTRIBUTE_MAP is “sub”, “uid”, “email”.
The “uid” and “email” are not in the keys returned from SSO. You should add an external uid
attribute in SSO (must be required). On the other hand you can either add “email” attribute in SSO or
set it unrequired (…"email": (False, "contact_email")…) in OAUTH_ATTRIBUTE_MAP
For more details please refer to :
https://manual.seafile.com/deploy/oauth

3

Hi,
Thank you for your advice.
Indeed, the “UID” was not correctly configured on my SSO. It was included in the claims but not defined in the scope, so the configuration couldn’t work.

Thanks again.