Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8593

Quay creates a duplicate user when logging in via CLI with OIDC authentication (RHBK) (RH, resulting in an "Email has already been used" error.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • -area/oauth
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      1. Set up Quay with OIDC Authentication (Keycloak)

      • Quay is configured with Keycloak using the following config.yaml:
        yaml
      AUTHENTICATION_TYPE: OIDC
KEYCLOAK_LOGIN_CONFIG:    
  OIDC_SERVER: https://keycloak-keycloak.apps.cwl-site3.npss.bos2.lab/realms/quayrealm/    
  CLIENT_ID: cwl-site3-quay    
  CLIENT_SECRET: NgGJ1vKKY8P3wRPojFxgCWRdw6eBLxZ1    
  SERVICE_NAME: keycloak    
  VERIFIED_EMAIL_CLAIM_NAME: email
  PREFERRED_USERNAME_CLAIM_NAME: preferred_username
  LOGIN_SCOPES: ['openid']

       2. Login via Quay UI (Success)

      • Navigate to https://quay.apps.cwl-site3.npss.bos2.lab
      • Click Login with Keycloak
      • Successfully authenticated as user4
      • Database validation:
        SELECT * FROM federatedlogin
          
        id | user_id | service_id | service_ident | metadata_json ----+---------+------------+--------------------------------------+------------------------------- 1 | 1 | 9 | 7f2bab63-7a1f-4f7a-b32e-0914f34d4053 | {"service_username": "user4"}

         

      3. Login via Podman CLI (Fails)

      podman login quay.apps.cwl-site3.npss.bos2.lab -u user4 -p mypassword
       
        * Error message:
      Failed to validate credentials for user user4: Email has already been used: user45@dummy.com
       

      • Database query shows existing user:
        SELECT * FROM "user";
         
      id | uuid | username | email ----+--------------------------------------+----------+------------------ 1 | a5dcb582-9907-4fdc-876b-3702b6948a56 | user4 | user45@dummy.com

       

      4. Set OIDC_DISABLE_USER_ENDPOINT: true and Retry (Still Fails)

      • After adding OIDC_DISABLE_USER_ENDPOINT: true to config.yaml, error message changes to:
        unable to retrieve auth token: invalid username/password: unauthorized: 'NoneType' object has no attribute 'to_url'
         
         
      Show
      1. Set up Quay with OIDC Authentication (Keycloak) Quay is configured with Keycloak using the following config.yaml : yaml AUTHENTICATION_TYPE: OIDC KEYCLOAK_LOGIN_CONFIG: OIDC_SERVER: https: //keycloak-keycloak.apps.cwl-site3.npss.bos2.lab/realms/quayrealm/ CLIENT_ID: cwl-site3-quay CLIENT_SECRET: NgGJ1vKKY8P3wRPojFxgCWRdw6eBLxZ1 SERVICE_NAME: keycloak VERIFIED_EMAIL_CLAIM_NAME: email  PREFERRED_USERNAME_CLAIM_NAME: preferred_username LOGIN_SCOPES: [ 'openid' ]   2. Login via Quay UI (Success) Navigate to https://quay.apps.cwl-site3.npss.bos2.lab Click Login with Keycloak Successfully authenticated as user4 Database validation: SELECT * FROM federatedlogin   id | user_id | service_id | service_ident | metadata_json ----+---------+------------+--------------------------------------+------------------------------- 1 | 1 | 9 | 7f2bab63-7a1f-4f7a-b32e-0914f34d4053 | { "service_username" : "user4" }   3. Login via Podman CLI (Fails) podman login quay.apps.cwl-site3.npss.bos2.lab -u user4 -p mypassword     * Error message: Failed to validate credentials for user user4: Email has already been used: user45@dummy.com   Database query shows existing user: SELECT * FROM "user";   id | uuid | username | email ----+--------------------------------------+----------+------------------ 1 | a5dcb582-9907-4fdc-876b-3702b6948a56 | user4 | user45@dummy.com   4. Set OIDC_DISABLE_USER_ENDPOINT: true and Retry (Still Fails) After adding OIDC_DISABLE_USER_ENDPOINT: true to config.yaml , error message changes to: unable to retrieve auth token: invalid username/password: unauthorized: 'NoneType' object has no attribute 'to_url'    

      When integrating Quay with Keycloak for authentication via OIDC, logging in via the UI works as expected, and the user is properly mapped in the federatedlogin table. However, when the same user logs in via Podman CLI, Quay attempts to create a new user instead of mapping to the existing one.

      This results in an error message:

      Email has already been used: user45@dummy.com

      Additionally, after setting OIDC_DISABLE_USER_ENDPOINT: true in the Quay configuration, the error changes to:

      unable to retrieve auth token: invalid username/password: unauthorized: 'NoneType' object has no attribute 'to_url'

      It appears that Quay is handling authentication inconsistently between UI and CLI logins, possibly due to differences in how it retrieves user information from Keycloak.

      on the logs it shows quay tries toquery a user40, which doesn't exist on keycloak or anywhere else: 

      gunicorn-registry stdout | 2025-02-18 21:50:42,722 [301] [DEBUG] [peewee] ('SELECT "t1"."id", "t1"."uuid", "t1"."username", "t1"."password_hash", "t1"."email", "t1"."verified", "t1"."stripe_id", "t1"."organization", "t1"."robot", "t1"."invoice_email", "t1"."invalid_login_attempts", "t1"."last_invalid_login", "t1"."removed_tag_expiration_s", "t1"."enabled", "t1"."invoice_email_address", "t1"."given_name", "t1"."family_name", "t1"."company", "t1"."location", "t1"."maximum_queued_builds_count", "t1"."creation_date", "t1"."last_accessed" FROM "user" AS "t1" WHERE ("t1"."username" = %s) LIMIT %s OFFSET %s', ['user40', 1, 0])

        1. quay_logs.zip
          214 kB

              Unassigned Unassigned
              rh-ee-sdennis Sollinsnaya Sanchez Patino
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: