You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At my org we're going through a re-brand, and as part of this we're changing our primary domain. We use Outline with Google SSO and so we switched it for testing, but since the switch any logins fail with a authentication-required notice.
To Reproduce
Set up an Outline instance using Google Workspace SSO (with two domains configured in Google)
Sign in at least once
Change the primary domain on the Workspace user
Sign out and sign in again
Expected behavior
The user can sign in with the same account
Actual behaviour
The user gets a blank error page with ?notice=authentication-required in the URL. In the logs there is this error:
{
"error": "User authentication 112884385789198496882 already exists for 6c1888fc-9666-4f34-a384-2e3326838823, tried to assign to 615e85f2-8099-4cb9-8e44-a73dd2fa51db",
"level": "error",
"message": "Error during authentication",
"stack": "UnauthorizedError: User authentication 112884385789198496882 already exists for 6c1888fc-9666-4f34-a384-2e3326838823, tried to assign to 615e85f2-8099-4cb9-8e44-a73dd2fa51db\n at AuthenticationError (/opt/outline/build/server/errors.js:41:34)\n at accountProvisioner (/opt/outline/build/server/commands/accountProvisioner.js:121:43)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
}
Unfortunately this is due to the fact that Google uses the domain name as the primary ID. An awful decision that continues to bite everyone that uses it as an auth provider forever.
If you want to easily fix your setup without code changes the easiest thing to do is to find the authentication_provider record in the db and change the providerId to your new domain name.
In a self-hosted environment if the domain matches one in allowed domains we could probably continue to allow sign-in by switching the user authentication to the other provider automatically (the "auto-migrate" mentioned in the comment above)
It also breaks on self-hosted setups where emails provided by OIDC endpoint were never intended to be on the same domain. Users' sub field from OIDC never changes, but after user changes their own email on identity provider, side they can't login to outline anymore.
I'm not sure why domain from OIDC email field is used as auth provider ID in outline in the first place, shouldn't there be only one per actual idp? (one for google, one for custom/self-hosted, etc)
At my org we're going through a re-brand, and as part of this we're changing our primary domain. We use Outline with Google SSO and so we switched it for testing, but since the switch any logins fail with a
authentication-required
notice.To Reproduce
Expected behavior
The user can sign in with the same account
Actual behaviour
The user gets a blank error page with
?notice=authentication-required
in the URL. In the logs there is this error:Screenshots
Outline:
docker.getoutline.com/outlinewiki/outline:0.74.0
Desktop:
It looks like the error comes from
outline/server/commands/userProvisioner.ts
Lines 85 to 93 in f7ea19c
I'd be happy to send a PR to fix this, given some guidance on the best way of fixing it.
The text was updated successfully, but these errors were encountered: