airavata-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus Christie (Jira)" <>
Subject [jira] [Commented] (AIRAVATA-3319) Handle missing name and email attributes from CILogon
Date Mon, 31 Aug 2020 21:19:00 GMT


Marcus Christie commented on AIRAVATA-3319:

I asked the CILogon team about the eduPersonPrincipleName (ePPN) attribute. Short answer one
of ePPN or ePTID are required but really the "sub" field should be used as the identifying

Hi Marcus,

After the April 2020 update, an IdP needs to minimally assert a user identifier for the user.
This identifier can be ePPN, ePTID (eduPersonTargetedID), or both. So it's not sufficient
to rely on email, ePPN, or ePTID to identify the user since any of them could be missing.

Instead, your integration should use the CILogon User Identifier to identify the user internally.
For OIDC transactions, this user id is typically asserted as the "sub" claim and is of the
format "". (The CILogon User Identifier is now shown
in the "User Attributes" block after you log on to .) You can use
to see the claims asserted by an IdP. Your app could optionally have logic to display the
user's name/email (if available) if you don't want to show the user id in the UI.


On 2020-08-28 9:28 AM, Christie, Marcus Aaron wrote:

Hi CILogon Team,

The Airavata integration with CILogon assumes that we'll get an email and first name and last
name attributes, and I'm working on updating the logic to handle the relaxed requirements
announced in April (!topic/outages/kksaYVrW1Io).
We currently map "email" to the user's username. I was told that using ePPN attribute would
be better to use for the username, but I have a question: if the email attribute isn't released
by the IdP, what is the resulting ePPN? Will there always be an ePPN?




> Handle missing name and email attributes from CILogon
> -----------------------------------------------------
>                 Key: AIRAVATA-3319
>                 URL:
>             Project: Airavata
>          Issue Type: New Feature
>          Components: Django Portal
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major
> {quote}
> tl;dr: CILogon will no longer require Identity Providers (IdPs) to assert email addresses
and names for new users of OAuth2/OIDC (OpenID Connect) clients.
> {quote}
> [!topic/outages/kksaYVrW1Io]
>  This issue to design a user authentication flow that handles missing attributes and
prompts the user to supply them as necessary.
> h2. Questions
> - [ ] Will we always get a {{preferred_username}} attribute? Question for CILogon team
> - [ ] what will Keycloak do if any of these attributes are missing?
> - [ ] can we setup a test setup where CILogon doesn't return email/firstName/lastName?
> h2. TODO
> - [ ] proxy Django User model and store the Keycloak/CILogon 'sub' attribute as the primary
identifier for users
> h2. Design
> h3. User doesn't have first name and/or last name attributes
> - callback handles user authentication
> - fetch userinfo and check for missing attributes
> - note that first and/or last name are missing
> - disable user in Keycloak
> - (?) Question: log the user in with a flag that profile is not complete? Or don't log
the user in and put the user information somewhere in the session?
> -- I think, log the user in but set a session flag that the profile is not complete.
in workspace/ and in the UI use this to prevent API calls and to prevent the user
from seeing UIs that they can't yet interact with.
> - redirect user to web form with profile information filled in
> -- email
> -- email again
> -- first name (if available)
> -- last name (if available)
> - user submits form
> - validate form
> - if form is valid and all required information is supplied, then ...
> -- update the user record in Keycloak
> -- enable the user
> h3. User doesn't have email attribute
> Similar flow to above except
> - send the user an email verification link if the profile is complete and the email address
has been supplied
> -- more generally, if the user updates their profile information and the email changes,
need to re-verify the email address
> - when the email verification link is clicked, re-check the the profile is complete
> - if profile is complete, update the user record and enable the user
> - otherwise kick the user to the profile form and require the missing profile attributes

This message was sent by Atlassian Jira

View raw message