Serious problems with open id connect authentication

[vazovn]

Describe the bug
After the upgrade from 23.1 to 23.2 the authentication by open idc is not possible.

Galaxy Version and/or server at which you observed the bug
Galaxy Version: 23.2
Commit: 9c593cd

To Reproduce
The entire class PSAAssociation(Base, AssociationMixin, RepresentById): in ../lib/galaxy/model/__init__.py seems to be failing. I have encountered the following generic issue :

23.1 makes use of indexes when interacting with the database (table psa_association). These are compatible with the parent classes in ../venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py which also use indexes to handle subscriptable results.

For example:

    @classmethod
    def store(cls, server_url, association):
        try:
            assoc = cls.sa_session.query(cls).filter_by(server_url=server_url, handle=association.handle)[0]
        except IndexError:
            assoc = cls(server_url=server_url, handle=association.handle)

is OK and the IndexError captures the errors correctly

23.2 in turn has been modified to use scalars and the calls to the parent class fail

    @classmethod
    def store(cls, server_url, association):
        try:
            stmt = select(PSAAssociation).filter_by(server_url=server_url, handle=association.handle).limit(1)
            assoc = cls.sa_session.scalars(stmt).first()
        except IndexError:
            assoc = cls(server_url=server_url, handle=association.handle)
       assoc.secret = base64.encodebytes(association.secret).decode()

fails, because the method first() returns None and not False and the error is never captured as IndexError.

Feb 20 16:49:54 galaxy01.educloud.no galaxyctl[2091415]:   File "/cluster/galaxy/srv/galaxy/server/lib/galaxy/model/__init__.py", line 9513, in store
Feb 20 16:49:54 galaxy01.educloud.no galaxyctl[2091415]:     assoc.secret = base64.encodebytes(association.secret).decode()
Feb 20 16:49:54 galaxy01.educloud.no galaxyctl[2091415]:     ^^^^^^^^^^^^
Feb 20 16:49:54 galaxy01.educloud.no galaxyctl[2091415]: AttributeError: 'NoneType' object has no attribute 'secret'

If changed to

        #try:
        stmt = select(PSAAssociation).filter_by(server_url=server_url, handle=association.handle).limit(1)
        assoc = cls.sa_session.scalars(stmt).first()
        #except:
        if assoc is not None:
            pass
        else:
            assoc = cls(server_url=server_url, handle=association.handle)

it seems to be working.

Without the change above the assoc object is simply not created!

However, the problems continue after this fix:

The flow continues in ../lib/galaxy/model/__init__.py and gets to

    @classmethod
    def get(cls, *args, **kwargs):
        stmt = select(PSAAssociation).filter_by(*args, **kwargs)
        return cls.sa_session.scalars(stmt)

and throws another error again in the parent class OpenIdConnectAuth(BaseOAuth2) in ../venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py

at return self.strategy..

   def get_nonce(self, nonce):
        try:
            return self.strategy.storage.association.get(
                server_url=self.authorization_url(),
                handle=nonce
            ) [0]
        except IndexError:
            pass

again with an error due to scalar VS subscriptable incompatibility.

Feb 20 16:58:36 galaxy01.educloud.no galaxyctl[2092171]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 129, in get_nonce
Feb 20 16:58:36 galaxy01.educloud.no galaxyctl[2092171]:     return self.strategy.storage.association.get(
Feb 20 16:58:36 galaxy01.educloud.no galaxyctl[2092171]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 20 16:58:36 galaxy01.educloud.no galaxyctl[2092171]: TypeError: 'ScalarResult' object is not subscriptable

Converting to list sort of solves the error but later fails again with similar issues.

Expected behavior

These errors actually disable completely our galaxy instance which blocks the possibility for the users to log in. It is actually very unfortunate.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[mvdbeek]

@jdavcs can you take a look at this ?

[jdavcs]

@vazovn Thank you for the very detailed report - this was very helpful! Definitely a bug - sorry about that!

Could you please try the solution in #17516? I know you've mentioned that a similar error happens on the call to get, but the implementation of that method should produce the same results: a list of PSAAssoc objects. session.query is a legacy construct we need to replace with SQLAlchemy Core's select: session.execute(statement) where statement could be select(whatever). However, this would return a list of tuples of objects, which is not the same as the list of objects returned by session.query. The scalars method simply selects the first item in each tuple, which produces the same result as session.query. If, however, you still get that error, I'll look again.

[mvdbeek]

Any chance you could provide the complete traceback @vazovn ?

[vazovn]

I will do this in 10 mins. I had other issues this morning.

[vazovn]

Hi, again,

John's fix corrected the try - except block bug. Now the assoc object does get generated. However, the second error which I mentioned above - in the get method ../model/__init__.py is still there.

This method is called by venv/lib/python3.11/site-packages/social_core/backends/open_id_connect at

def get_nonce(self, nonce):
        try:
            return self.strategy.storage.association.get(
                server_url=self.authorization_url(),
                handle=nonce
            ) [0]
        except IndexError:
            pass

where return.self.strategy.storage.association.get ... method is the one from class PSAAssociation(Base, AssociationMixin, RepresentById): in ../model/__init__.py.

The "init.py's" get method returns scalared stmt:

   @classmethod
    def get(cls, *args, **kwargs):
        stmt = select(PSAAssociation).filter_by(*args, **kwargs)
        return cls.sa_session.scalars(stmt)

which fails in the method get_nonce in venv/lib/python3.11/site-packages/social_core/backends/open_id_connect which requests the value with index [0].

return self.strategy.storage.association.get(
                server_url=self.authorization_url(),
                handle=nonce
            ) [0]

The entire debug log is here:

Feb 21 13:58:32 galaxy01.educloud.no galaxyctl[2188119]: uvicorn.access INFO 2024-02-21 13:58:32,993 [pN:main.2,p:2188119,tN:MainThread] 2001:700:5804:100::8:0 - "HEAD /root/login HTTP/1.0" 302
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,603 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal auth complete =================
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,603 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal  request =================
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: /cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'oidc.fp.educloud.no'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   warnings.warn(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE NONCE ========  5sbILnwiCHKt0CtnOp8hZ0ccgstKXhhii96T3Q239HmFpDxVwx2hudwXAKerxJCU
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE STATE ========  7l7qyYx6RvCPSSfx8gyv5dav26dDhbTN
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE URL ========  https://oidc.fp.educloud.no/ec-oidc-provider/authorize
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE NONCE  ASSOCIATION ======== <social_core.backends.open_id_connect.OpenIdConnectAssociation object at 0x7f5634a78610>
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE NONCE  ASSOCIATION HANDLE ======== 5sbILnwiCHKt0CtnOp8hZ0ccgstKXhhii96T3Q239HmFpDxVwx2hudwXAKerxJCU
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE NONCE  ASSOCIATION ASSOC TYPE ======== 7l7qyYx6RvCPSSfx8gyv5dav26dDhbTN
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.open_id_connect DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= GET AND STORE NONCE  WHICH OBJECT ???  ======== <class 'galaxy.model.PSAAssociation'>
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: galaxy.model DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= MODEL INIT server URL ========  https://oidc.fp.educloud.no/ec-oidc-provider/authorize
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: galaxy.model DEBUG 2024-02-21 13:58:36,644 [pN:main.2,p:2188123,tN:WSGI_0]  ============= MODEL INIT handle ========  5sbILnwiCHKt0CtnOp8hZ0ccgstKXhhii96T3Q239HmFpDxVwx2hudwXAKerxJCU
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,650 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal auth header  ==========
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,650 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal  request =================
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,650 [pN:main.2,p:2188123,tN:WSGI_0]  ============  METHOD  ================= POST
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: /cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'oidc.fp.educloud.no'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   warnings.warn(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,852 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal find valid key ==============
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: social_core.backends.lifeportal_fox DEBUG 2024-02-21 13:58:36,853 [pN:main.2,p:2188123,tN:WSGI_0]  ============  lifeportal  request =================
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: /cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'oidc.fp.educloud.no'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   warnings.warn(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: galaxy.model DEBUG 2024-02-21 13:58:36,892 [pN:main.2,p:2188123,tN:WSGI_0]  ============= MODEL INIT get method  stmt ========  SELECT psa_association.id, psa_association.server_url, psa_association.handle, psa_association.secret, psa_association.issued, psa_association.lifetime, psa_association.assoc_type
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: FROM psa_association
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: WHERE psa_association.server_url = :server_url_1 AND psa_association.handle = :handle_1
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: galaxy.model DEBUG 2024-02-21 13:58:36,894 [pN:main.2,p:2188123,tN:WSGI_0]  ============= MODEL INIT output_cls_sa_session_scalars ========  <sqlalchemy.engine.result.ScalarResult object at 0x7f5629646150>
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: galaxy.authnz.managers ERROR 2024-02-21 13:58:36,894 [pN:main.2,p:2188123,tN:WSGI_0] An error occurred when handling callback from `lifeportalfox` identity provider.  Please contact an administrator for assistance.
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: Traceback (most recent call last):
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/server/lib/galaxy/authnz/managers.py", line 392, in callback
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     return success, message, backend.callback(state_token, authz_code, trans, login_redirect_url)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/server/lib/galaxy/authnz/psa_authnz.py", line 218, in callback
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     redirect_url = do_complete(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:                    ^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/actions.py", line 45, in do_complete
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     user = backend.complete(user=user, *args, **kwargs)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/base.py", line 40, in complete
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     return self.auth_complete(*args, **kwargs)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/utils.py", line 248, in wrapper
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     return func(*args, **kwargs)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:            ^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/lifeportal_fox.py", line 111, in auth_complete
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     response = self.request_access_token(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 210, in request_access_token
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     self.id_token = self.validate_and_return_id_token(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 200, in validate_and_return_id_token
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     self.validate_claims(claims)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 155, in validate_claims
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     nonce_obj = self.get_nonce(nonce)
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:                 ^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/backends/open_id_connect.py", line 129, in get_nonce
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:     return self.strategy.storage.association.get(
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]:            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: TypeError: 'ScalarResult' object is not subscriptable
Feb 21 13:58:36 galaxy01.educloud.no galaxyctl[2188123]: uvicorn.access INFO 2024-02-21 13:58:36,921 [pN:main.2,p:2188123,tN:MainThread] 46.212.191.161:0 - "GET /authnz/lifeportalfox/callback?state=7l7qyYx6RvCPSSfx8gyv5dav26dDhbTN&code=ITCNQpa5slE3Aop23Scm9rg0EdSsstY3FfMvSPG2ynY.5u8pqM0fmyfdxdv9fmw00pqPiB0uDnAM2m1P5h3LvVgyWi9Zx63dBtpK0S57zqIi.ZdXzfA.oI7Y5PUU2-coQPATr-Fz0EzmrPc HTTP/1.0" 200

I am afraid that this issue might affect other methods which communicate with the database via galaxy + third party modules like in our case __init__.py AND open_id_connect.py.

[jdavcs]

@vazovn it should be fixed in #17516.

This one was a curious gotcha. The code session.execute(statement) ("scalars" is just a shortcut) contacts the database and produces a Result object that can be iterated, fetched in chunks, etc.; but it is not subscriptable because it does not actually store the retrieved items. Calling all() on the Result retrieves all the items into a sequence that is subscriptable (which is the solution to this problem). The old version used a Query object (returned from session.query()). A Query object also does not contain any items initially, and issues a statement to the database only after being evaluated. However, evaluation can be triggered in many ways, and accessing items by index is one of them - which is why session.query(foo)[0] produces the first item of whatever foo is! SQLAlchemy 2.0 has gotten rid of a lot of patterns supporting implicit database access like this one (although the Query is kept as a legacy API), which is why we are replacing such code with explicit calls to session.execute and such.

Thanks again for the detailed report!

[vazovn]

Hi, unfortunately the issue is far from being solved ... The second fix (#17516 - adding .all() to the line) moves the flow forward but at the next step I get this :

Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]: social_core.storage DEBUG 2024-02-22 16:32:06,179 [pN:main.1,p:2317715,tN:WSGI_0]  ============= storage.py  ======== <class 'galaxy.model.UserAuthnzToken'>
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]: galaxy.authnz.managers ERROR 2024-02-22 16:32:06,179 [pN:main.1,p:2317715,tN:WSGI_0] An error occurred when handling callback from `lifeportalfox` identity provider.  Please contact an administrator for assistance.
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]: Traceback (most recent call last):
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:   File "/cluster/galaxy/srv/galaxy/server/lib/galaxy/authnz/managers.py", line 392, in callback
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:     return success, message, backend.callback(state_token, authz_code, trans, login_redirect_url)
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:   File "/cluster/galaxy/srv/galaxy/server/lib/galaxy/authnz/psa_authnz.py", line 218, in callback
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:     redirect_url = do_complete(
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:                    ^^^^^^^^^^^^
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/actions.py", line 58, in do_complete
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:     user_model = backend.strategy.storage.user.user_model()
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:   File "/cluster/galaxy/srv/galaxy/venv/lib/python3.11/site-packages/social_core/storage.py", line 146, in user_model
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]:     raise NotImplementedError('Implement in subclass')
Feb 22 16:32:06 galaxy01.educloud.no galaxyctl[2317715]: NotImplementedError: Implement in subclass

I found out that the method user_modelwas actually missing in ../galaxy/model/__init__.py in the class UserAuthnzToken where it is actually called from venv/lib/python3.11/site-packages/social_core/storage.py .

It is only found in venv/lib/python3.11/site-packages/social_core/storage.py and throws NotImplementedError .

I tried to play with it today, by implementing it in ../model/__init__.pyin the UserAuthnzToken class, passing cls to it as an argument, yet no success - the system throws no more errors but is now complaining about missing kwargs in a light blue band in the Galaxy GUI. I guess, the cls is not what it expects.

Can you have a look at the error log I sent here above? I guess that user_model method has to be properly implemented in the UserAuthnzToken class.

[jdavcs]

Yep, that's refactoring went bad. Fixing now.

[vazovn]

Thank you! I appreciate your quick reaction. We have some users who are pushing us in turn :-)

[jdavcs]

@vazovn can you, please, try the fix in #17530?

[vazovn]

Hi, John,

The last bix fix did the job. I can now log in.

We are using ansible to deploy with galaxy_commit_id: v23.2

How shall I get hold of the fix then?

Thank you very much.

Actually there seem to be other issues which fail, but they are not related to openidc. I will start a new issue for them.

Best regards

Nikolay

[jdavcs]

Nikolay - Can you point it to the latest version of the release_23.2 branch? It's been merged and the latest commit is this one: 51ee56e

[vazovn]

Great, so instead of

9c593cd

I shall put

51ee56e

right?

The version stays the same.

[vazovn]

Thank you, will try tomorrow! Getting a but late here. Thank you very much, John.

[jdavcs]

I think so, yes. Ping me if it doesn't work, or if all breaks again :-)
Glad we sorted out at least part of it! Cheers!

[mvdbeek]

We are using ansible to deploy with galaxy_commit_id: v23.2

That tag corresponds to the the very first commit after making the release and means you're always on the commit of the branch that received the least bugfixes. You're best off simply setting galaxy_commit_id: release_23.2, which pulls the tip of the release_23.2 branch. To update to the tip of the branch simply run the playbook again.

[jdavcs]

Closing this as completed (#17530). Please feel free to reopen if needed.