Stream: troubleshooting

Topic: โœ” Error getting the user info record from OpenID.

view this post on Zulip Mohsen Jafari (Mar 14 2024 at 14:57):

My OIDC profile endpoint returns this:

{"id":"b94e083c-8ee8-4177-af13-cf87ceab00d2","username":"john","email":"john@gmail.com"}

But dataverse says this error:

edu.harvard.iq.dataverse.authorization.providers.oauth2.OAuth2Exception: Error getting the user info record from OpenID.
at edu.harvard.iq.dataverse.authorization.providers.oauth2.oidc.OIDCAuthProvider.getUserInfo(OIDCAuthProvider.java:316)
at edu.harvard.iq.dataverse.authorization.providers.oauth2.oidc.OIDCAuthProvider.getUserRecord(OIDCAuthProvider.java:227)
at edu.harvard.iq.dataverse.authorization.providers.oauth2.OAuth2LoginBackingBean.exchangeCodeForToken(OAuth2LoginBackingBean.java:103)
at edu.harvard.iq.dataverse.authorization.providers.oauth2.OAuth2LoginBackingBean$Proxy$_$$_WeldSubclass.exchangeCodeForToken(Unknown Source)

view this post on Zulip Mohsen Jafari (Mar 14 2024 at 16:14):

Maybe I should explain more. I have already created the user 'john' in my OIDC. I press the 'Login by OpenID' in dataverse and it redirects me to my OIDC properly. I login there and redirected me to dataverse. By looking at logs, I noticed that dataverse can exchange the auth code with OIDC and gets the access token; then, it tries to call the profile endpoint to get user profile. At this point, I get the above error message in dataverser.

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 14 2024 at 16:16):

Can you find the line number on GitHub?

view this post on Zulip Mohsen Jafari (Mar 14 2024 at 16:17):

I think the following method is throwing the exception, but I am not sure.

Optional<UserInfo> getUserInfo(BearerAccessToken accessToken) throws IOException, OAuth2Exception {
// Retrieve data
HTTPResponse response = new UserInfoRequest(this.idpMetadata.getUserInfoEndpointURI(), accessToken)
.toHTTPRequest()
.send();

    // Parse/Extract
    try {
        UserInfoResponse infoResponse = UserInfoResponse.parse(response);

        // If error --> oauth2 ex
        if (! infoResponse.indicatesSuccess() ) {
            ErrorObject error = infoResponse.toErrorResponse().getErrorObject();
            throw new OAuth2Exception(error.getHTTPStatusCode(),
                                      error.getDescription(),
                                      BundleUtil.getStringFromBundle("auth.providers.exception.userinfo", Arrays.asList(this.getTitle())));
        }

        // Success --> return info
        return Optional.of(infoResponse.toSuccessResponse().getUserInfo());

    } catch (ParseException ex) {
        throw new OAuth2Exception(-1, ex.getMessage(), BundleUtil.getStringFromBundle("auth.providers.exception.userinfo", Arrays.asList(this.getTitle())));
    }
}

view this post on Zulip Mohsen Jafari (Mar 14 2024 at 16:18):

dataverse/src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/oidc/OIDCAuthProvider.java

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 14 2024 at 16:41):

Yeah, auth.providers.exception.userinfo=Error getting the user info record from {0}.

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 14 2024 at 16:41):

From Bundle.properties

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 14 2024 at 16:42):

Are you comfortable recompiling and adding some debugging lines?

view this post on Zulip Mohsen Jafari (Mar 15 2024 at 08:38):

Unfortunately, I am not a Java developer.

view this post on Zulip Mohsen Jafari (Mar 15 2024 at 09:37):

I found the root of the issue. My profile endpoint was returning a different structure than what was expected by dataverse (when calling profile endpoint).

view this post on Zulip Notification Bot (Mar 15 2024 at 09:37):

Mohsen Jafari has marked this topic as resolved.

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 15 2024 at 12:11):

Interesting. So you changed the structure of what your profile endpoint was emitting? Should we add some more documentation to the Dataverse guides?

view this post on Zulip Mohsen Jafari (Mar 15 2024 at 12:31):

You know, I have experienced the following stuff when integrating my OIDC with dataverse:

  1. It seems to me that dataverse/payara cache the discovery document for some time (.well-known/openid-configuration), as when I restarted Payara then it started to use my new discovery document. I didn't know it and just by try and error found it.
  2. I was not sure what data structure did dataverse expect from my profile endpoint. So, I looked at the source code and provided the minimum data. If I knew what data should have been returned by profile endpoint then it would have been much time-saving for me :)
  3. Another very helpful thing that I thought about was that, if I could set a flag for debugging (e.g., using environment variables or something else) and more logs appeared in the console then troubleshooting would have been much easier, but I am not sure if this is the correct approach or not.
  4. I was not sure at all where I will see the Login by OpenID button (after setting the related jvm options). It would be much better to have some information in dataverse documentation that says exactly such info.

PS: I have used Standard installation approach.

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 15 2024 at 12:45):

Sounds like we should document all of this. Are you interested in creating an issue? :grinning:

view this post on Zulip Mohsen Jafari (Mar 18 2024 at 08:25):

Yes. Where should I create the issue?

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 19 2024 at 11:25):

@Mohsen Jafari https://github.com/IQSS/dataverse/issues please

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:06):

I see you opened this, thanks: Add more information about the OpenID button #10392

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:07):

And OIDC profile endpoint #10393

view this post on Zulip Mohsen Jafari (Mar 20 2024 at 12:08):

sure

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:08):

And

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:09):

for debug flag, you mean just OIDC, right?

view this post on Zulip Mohsen Jafari (Mar 20 2024 at 12:14):

Philip Durbin said:

for debug flag, you mean just OIDC, right?

I think, in general, having a boolean flag in order to have more/verbose information about what have happened (logs) would be really helpful, either regarding OIDC or anything else. For example, if verbose_flag = true, then we see more detailed information about what have happened. As an example, there were some situations where I really needed more information in the dataverse logs to fix the issue but without such a flag I had to pull the codebase put some logs and recompile and so on...
However, I think such a decision may really depend on your development/security strategies. I just shared my basic-level idea :)

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:55):

Makes sense. Sometimes we'll suggest increasing the logging level here or there: https://guides.dataverse.org/en/6.1/admin/troubleshooting.html#increasing-payara-logging

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 20 2024 at 12:55):

Are you interested in creating a pull request for any of these issues?

view this post on Zulip Mohsen Jafari (Mar 25 2024 at 08:49):

Sorry, but not at the moment.

view this post on Zulip Philip Durbin ๐Ÿš€ (Mar 25 2024 at 18:22):

No worries!

Last updated: Oct 30 2025 at 06:21 UTC