Email Notification for OIDC Groups is not working

[sahil3112]

Current Behavior

I receive the mail notification when the team mapped to an alert contains local users, but I didn't get the Mail Notification when the Team is mapped to OIDC Group

Steps to Reproduce

1. Setup OIDC Group in OIDC Tool
2. Add a user to that OIDC Group
3. Create an OIDC Group in Dependency Track
4. Create a Team in the Dependency track and map that OIDC Group to the Team that we created in Dependency Track
5. Set-Up Mail Configuration
6. Go to alert and Select Publisher as Email and then Select the Same team as the recipient in which we map the OIDC Group

After doing all the steps, I didn't get a mail notification but I get the mail notification if I create a Local user

Expected Behavior

Mail Notification Send to the users under the OIDC Group

Dependency-Track Version

4.7.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[valentijnscholten]

Just to be sure, did you login at least once to make sure the OIDC user gets created and actually mapped into the Team in DT?

[sahil3112]

Hi @valentijnscholten , I have make sure that the user is Mapped to OIDC Group and that OIDC group is mapped to the local team

[valentijnscholten]

According to the code and testcase OIDC users should also get the email notification. Can you confirm my question above? You need to login at least once with the user to have the user created inside DT. Otherwise DT is not aware of the existence of the user. Also the email address field needs to be populated.

dependency-track/src/main/java/org/dependencytrack/notification/publisher/SendMailPublisher.java

Lines 129 to 143 in 1039a2a

	static String[] parseDestination(final JsonObject config, final List<Team> teams) {
	String[] destination = teams.stream().flatMap(
	team -> Stream.of(
	Arrays.stream(config.getString("destination").split(",")).filter(Predicate.not(String::isEmpty)),
	Optional.ofNullable(team.getManagedUsers()).orElseGet(Collections::emptyList).stream().map(ManagedUser::getEmail).filter(Objects::nonNull),
	Optional.ofNullable(team.getLdapUsers()).orElseGet(Collections::emptyList).stream().map(LdapUser::getEmail).filter(Objects::nonNull),
	Optional.ofNullable(team.getOidcUsers()).orElseGet(Collections::emptyList).stream().map(OidcUser::getEmail).filter(Objects::nonNull)
	)
	.reduce(Stream::concat)
	.orElseGet(Stream::empty)
	)
	.distinct()
	.toArray(String[]::new);
	return destination.length == 0 ? null : destination;
	}

[sahil3112]

Hi @valentijnscholten ,

Thanks for the info

I have checked that the OIDC user in DT is mapped to the team for which I have set up the alert
But in the configuration test Mail is sent by DT and if the user is Mapped Locally then also I get the mail with the same setup,
and I also didn't get any error logs in DT

Is there anything I am missing in the "OIDC_SCOPE=openid email profile groups"

Not sure In the local user I get the mail But in the OIDC user i didn't get mail notification

[sahil3112]

When I use below API call

GET /api/v1/user/oidc

then I only get the username and subjectIdentifier, I didn't get email of the users in the user list

{
"username": "USERNAME",
"subjectIdentifier": "IDENTIFIER",
"teams": [
{
"uuid": "ID",
"name": "Team Name"
}
]
}

[rkg-mm]

There was a bug in the current version affecting LDAP users in the underlying alpine framework.
We fixed that for upcoming DTrack 4.8 version for LDAP.

Could it be same happens for OIDC?
See #2320

[syalioune]

It's more simple than the problem with LDAP.

The email field of OIDCUSER is not persistent so email from synced users are never stored hence why Optional.ofNullable(team.getOidcUsers()).orElseGet(Collections::emptyList).stream().map(OidcUser::getEmail).filter(Objects::nonNull) always return an empty array.

[sahil3112]

Hi @syalioune ,

Thanks for the information

Can you please recommended possible solution, is there anything we have to do in IAM services

[syalioune]

Can you please recommended possible solution, is there anything we have to do in IAM services

No nothing. A fix/feature should be implemented in DT (Alpine framework) to handle this use case.

[nscuro]

Thanks all, I raised a PR for Alpine to fix this: stevespringett/Alpine#484

As it is a low-risk change, hopefully we can include it in the upcoming 4.8 release.

[nscuro]

Fixed in stevespringett/Alpine#484.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.