500 Error when login by OpenIDConnect with Azure AD

pppwaw · June 19, 2022, 12:25pm

When I’m login our team’s GitLab with OpenIDConnect, I got a 500 error. The log said:

Mail::Field::IncompleteParseError (Mail::AddressList can not parse |temp-email-for-oauth-pppwaw@xxxxxxxxxx.net@gitlab.localhost|: Only able to parse up to “temp-email-for-oauth-pppwaw@xxxxxxxxxx.net@gitlab.localhost”):

app/models/concerns/restricted_signup.rb:79:in new' app/models/concerns/restricted_signup.rb:79:in domain_matches?’
app/models/concerns/restricted_signup.rb:68:in allowed_domain?' app/models/concerns/restricted_signup.rb:8:in validate_admin_signup_restrictions’
app/models/user.rb:2218:in email_allowed_by_restrictions?' lib/gitlab/database/load_balancing/connection_proxy.rb:119:in block in write_using_load_balancer’
lib/gitlab/database/load_balancing/load_balancer.rb:112:in block in read_write' lib/gitlab/database/load_balancing/load_balancer.rb:172:in retry_with_backoff’
lib/gitlab/database/load_balancing/load_balancer.rb:110:in read_write' lib/gitlab/database/load_balancing/connection_proxy.rb:118:in write_using_load_balancer’
lib/gitlab/database/load_balancing/connection_proxy.rb:70:in transaction' app/services/users/update_service.rb:35:in execute’
app/services/users/update_service.rb:44:in execute!' lib/gitlab/auth/o_auth/user.rb:55:in save’
lib/gitlab/auth/o_auth/user.rb:86:in find_and_update!' app/controllers/omniauth_callbacks_controller.rb:162:in sign_in_user_flow’
app/controllers/omniauth_callbacks_controller.rb:130:in omniauth_flow' app/controllers/omniauth_callbacks_controller.rb:17:in handle_omniauth’
ee/lib/gitlab/ip_address_state.rb:10:in with' ee/app/controllers/ee/application_controller.rb:45:in set_current_ip_address’
app/controllers/application_controller.rb:527:in set_current_admin' lib/gitlab/session.rb:11:in with_session’
app/controllers/application_controller.rb:518:in set_session_storage' lib/gitlab/i18n.rb:105:in with_locale’
lib/gitlab/i18n.rb:111:in with_user_locale' app/controllers/application_controller.rb:512:in set_locale’
app/controllers/application_controller.rb:506:in set_current_context' lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in call’
lib/gitlab/middleware/rails_queue_duration.rb:33:in call' lib/gitlab/middleware/memory_report.rb:13:in call’
lib/gitlab/middleware/speedscope.rb:13:in call' lib/gitlab/database/load_balancing/rack_middleware.rb:23:in call’
lib/gitlab/metrics/rack_middleware.rb:16:in block in call' lib/gitlab/metrics/web_transaction.rb:46:in run’
lib/gitlab/metrics/rack_middleware.rb:16:in call' lib/gitlab/jira/middleware.rb:19:in call’
lib/gitlab/middleware/go.rb:20:in call' lib/gitlab/etag_caching/middleware.rb:21:in call’
lib/gitlab/middleware/query_analyzer.rb:11:in block in call' lib/gitlab/database/query_analyzer.rb:37:in within’
lib/gitlab/middleware/query_analyzer.rb:11:in call' lib/gitlab/middleware/multipart.rb:173:in call’
lib/gitlab/middleware/read_only/controller.rb:50:in call' lib/gitlab/middleware/read_only.rb:18:in call’
lib/gitlab/middleware/same_site_cookies.rb:27:in call' lib/gitlab/middleware/handle_malformed_strings.rb:21:in call’
lib/gitlab/middleware/basic_health_check.rb:25:in call' lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in call’
lib/gitlab/middleware/request_context.rb:21:in call' lib/gitlab/middleware/webhook_recursion_detection.rb:15:in call’
config/initializers/fix_local_cache_middleware.rb:11:in call' lib/gitlab/middleware/compressed_json.rb:26:in call’
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in call' lib/gitlab/middleware/sidekiq_web_static.rb:20:in call’
lib/gitlab/metrics/requests_rack_middleware.rb:77:in call' lib/gitlab/middleware/release_env.rb:13:in call’

My config of OmniAuth:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
#gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_auto_link_user'] = ['saml']
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect",
    label: "SSO", # optional label for login button, defaults to "Openid Connect"
    args: {
      name: "openid_connect",
      scope: ["openid", "profile", "email"],
      response_type: "code",
      issuer:  "https://login.microsoftonline.com/xxxxxxxxxx2/v2.0",
      client_auth_method: "query",
      discovery: true,
      uid_field: "sub",
      client_options: {
        identifier: "xxxxxxxxxx",
        secret: "xxxxxxxxxx",
        redirect_uri: "https://xxxxxxxxxx/users/auth/openid_connect/callback"
      }
   }
 }
]

My GitLab version: 15.0.3-ee
Is there an error in my configuration? Does anyone have any suggestions?

pppwaw · June 23, 2022, 5:36pm

Okay. After I set a email address to my account, I fix this problem …