403 Forbidden after successful Azure AD

[2silver]

Dependency-Track Version: v4.11.0
Distribution: Docker (+Traefik)
Database Server: PostgreSQL

We are attempting to connect the platform with Azure OAuth. Generally, it works - the user is successfully listed in "dependencytrack" under "OpenID Connect-User" - however, the user cannot log in.

Returning to the platform, we encounter the following messages and a lot "Forbidden (403)" Messages:

RangeError: Maximum call stack size exceeded

Uncaught (in promise) Error: Redirected when going from "/login?redirect=%2Fdashboard" to "/dashboard" via a navigation guard.

Following is the docker-compose.yml configuration:

version: "3"

services:
  dtrack-apiserver:
    image: dependencytrack/apiserver
    container_name: dtrack-apiserver
    environment:
      - "ALPINE_DATABASE_MODE=external"
      - "ALPINE_DATABASE_DRIVER=org.postgresql.Driver"
      - "ALPINE_DATABASE_URL=jdbc:postgresql://1.1.1.1:3333/deptrack"
      - "ALPINE_DATABASE_USERNAME=user_deptrack"
      - "ALPINE_DATABASE_PASSWORD=mysecrethiddenpwd"
      - "ALPINE_DATABASE_POOL_ENABLED=true"
      - "ALPINE_DATABASE_POOL_MAX_SIZE=20"
      - "ALPINE_DATABASE_POOL_MIN_IDLE=10"
      - "ALPINE_DATABASE_POOL_IDLE_TIMEOUT=300000"
      - "ALPINE_DATABASE_POOL_MAX_LIFETIME=600000"
      - "ALPINE_OIDC_ENABLED=true"
      - "ALPINE_OIDC_TEAMS_CLAIM=groups"
      - "ALPINE_OIDC_USER_PROVISIONING=true"
      - "ALPINE_OIDC_TEAM_SYNCHRONIZATION=true"
      - "ALPINE_OIDC_ISSUER=https://login.microsoftonline.com/secrettenantid/v2.0"
      - "ALPINE_OIDC_CLIENT_ID=666-veryhighlysecret-666"
      - "LOGGING_LEVEL=TRACE"
    deploy:
      resources:
        limits:
          memory: 12288m
        reservations:
          memory: 8192m
      restart_policy:
        condition: on-failure
    networks:
      - deptrack
      - frontend
    volumes:
      - "dependency-track:/data"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.deptrackapi.entrypoints=https"
      - "traefik.http.routers.deptrackapi.rule=Host(`deptrack.example.com`) && PathPrefix(`/api`)"
      - "traefik.http.routers.deptrackapi.middlewares=securityHeaders@file,compressContent@file"
      - "traefik.http.services.deptrackapi.loadbalancer.server.port=8080"

  dtrack-frontend:
    image: dependencytrack/frontend
    container_name: dtrack-frontend
    depends_on:
      - dtrack-apiserver
    environment:
      - "API_BASE_URL=https://deptrack.example.com"
      - "OIDC_ISSUER=https://login.microsoftonline.com/secrettenantid/v2.0"
      - "OIDC_CLIENT_ID=666-veryhighlysecret-666"
      - "OIDC_SCOPE=openid email"
      - "OIDC_FLOW=implicit"
      - "OIDC_LOGIN_BUTTON_TEXT=Azure SSO"
      - "LOGGING_LEVEL=DEBUG"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.deptrack.rule=Host(`deptrack.example.com`)"
      - "traefik.http.routers.deptrack.entrypoints=https"
      - "traefik.http.routers.deptrack.tls=true"
      - "traefik.http.middlewares.deptrack-stripprefix.stripprefix.prefixes=/"
      - "traefik.http.routers.deptrack.middlewares=deptrack-stripprefix,securityHeaders@file,compressContent@file"
    networks:
      - deptrack
      - frontend
    restart: unless-stopped

networks:
  deptrack:
  frontend:
    external: true

volumes:
  dependency-track:

We have also tested several different configurations - unfortunately, the result was always the same.

Does anyone have an idea what mistake/setting we might have overlooked?

[freeman888]

So does this solved?

[freeman888]

Ive met the same problem

[Cogitri]

FWIW, we had the same problem, one has to create an OpenID Connect Group and map that to a Team that has permission to actually view the dashboard of Dependency-Track.