#9421 ipa idp-add --provider silently ignores options like --scope
Closed: fixed a year ago by frenaud. Opened a year ago by cheimes.

Issue

When a provider is passed to ipa idp-add, the command silently ignores several parameters like --scope and --idp-user-id.

Steps to Reproduce

ipa idp-add example --provider=keycloak --base-url=https://idp.test --organization=org --scope=customscope --idp-user-id=customid --client-id=clientid

Actual behavior

----------------------------------------
Added Identity Provider server "example"
----------------------------------------
  Identity Provider server name: example
  Authorization URI: https://idp.test/realms/org/protocol/openid-connect/auth
  Device authorization URI: https://idp.test/realms/org/protocol/openid-connect/auth/device
  Token URI: https://idp.test/realms/org/protocol/openid-connect/token
  User info URI: https://idp.test/realms/org/protocol/openid-connect/userinfo
  Client identifier: clientid
  Scope: openid email
  External IdP user identifier attribute: email

Expected behavior

The command should either fail or (preferable) use the options for scope and external id.

  Scope: customscope
  External IdP user identifier attribute: customid

Version/Release/Distribution

ipa-server-4.10.1-8.el9_2.x86_64


A possible solution is to go over individual options after self._convert_provider_to_endpoints() and override in attrs_list both ipaidpscope and ipaidpsub if they present in the options.

Does entry attrs implement the full dict interface? If yes, then you could use setdefault(key, value) method. The method only adds new keys, never overrides existing keys.

It does but we don't want to have everything from options and we exactly want to override existing keys which were set by the self._convert_provider_to_endpoints().

The following worked for me:

$ git diff
diff --git a/ipaserver/plugins/idp.py b/ipaserver/plugins/idp.py
index 59d942de9..697eb46ca 100644
--- a/ipaserver/plugins/idp.py
+++ b/ipaserver/plugins/idp.py
@@ -350,6 +350,9 @@ class idp_add(LDAPCreate):
                                 name=self.options[s].cli_name,
                                 error=_('value is missing'))
                     points[k] = template_str(v, elements)
+                elif k in elements:
+                    points[k] = elements[k]
+
             entry_attrs.update(points)

     def get_options(self):

master:

  • 69e4397 idp: when adding an IdP allow to override IdP options

ipa-4-10:

  • 1ac3784 idp: when adding an IdP allow to override IdP options

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata