Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #44855 OIDC connection failed because of too long username
    Infos
    #44855
    Aurélien Tisné (atisne)
    2026-02-06 14:11
    2025-09-19 19:23
    46591
    Details
    OIDC connection failed because of too long username

    When connecting using OpenIDConnect, we can received long user name from the remote user repository. For instance, some organizations used to prefix subcontractors' names by the name of their companies.

    So, the name may exceed the unix max limitation of 30 characters.

    We propose that the class UserNameNormalizer ensures that the name don't exceed this limit to avoid a connection failure.

    Authentication & LDAP
    16.11
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2026-02-06
    Attachments
    Empty
    References
    Referencing request #44855

    Git commit

    tuleap/tuleap/stable

    fix: Do not reject too long/short usernames on first OIDC/LDAP login attempt 22c82223b7
    User avatar Thomas Gerbet (tgerbet) , 2025-11-14 15:46
    fix: Do not reject too long usernames on first OIDC/LDAP login attempt b74d9002d0
    User avatar Thomas Gerbet (tgerbet) , 2026-02-04 09:27
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2026-02-04 09:09

    I confirm, it is still half-fixed/half-broken.

    • Category changed from OAuth2 / OpenID Connect server to Authentication & LDAP
    • Status changed from Closed to Reopen
    • Assigned to changed from None to Thomas Gerbet (tgerbet)
    • Close date cleared
    User avatar
    Aurélien Tisné (atisne)2026-02-02 14:59

    Another remark. I understand that the goal of the last loop is to build a unique username in the limit size of USERNAME_MAX_LENGTH. But the suffix increment disappeared. So, I think the generated username is always the same. I think we should keep the suffix increment.

    User avatar
    Aurélien Tisné (atisne)2026-02-02 14:49

    @tgerbet I would like to reopen this ticket. The issue is still there.

    The idea is to not reject usernames (get from the OIDC module) that exceed the USERNAME_MAX_LENGTH. If we don't truncate it before the isUnixValid check, we can't authenticate.

    User avatar
    Aurélien Tisné (atisne)2025-10-01 10:37

    I'm not sure the proposed fix is done at the right place. In this location, we should think that the fix is partial. It fixes the use case of this ticket but not all the cases. Maybe, it should rather be done in the openidconnectclient plugin (plugins/openidconnectclient/include/OpenIDConnectClient/Login/Registration/UsernameGenerator.php).

    What's your opinion?