Error: "Internal error while processing create or refresh token org.jfrog.access.token.exception.TokenScopeException: scope is malformed" When SAML users try to login with Artifactory.
When the SAML user try to Login to Artifactory, at the UI level login fails with 502 bad gateway and in the logs we notice the Token verification failed errors as shown in the below.
Artifactory-service.log:
Access-service.log:
Frontend service logs
This issue is observed when the SAML user is associated with groups that have some special characters, causing authentication to fail. And also sometimes it is noticed that due to keyboard layout/format( German umlauts “ä, ö, ü, ß ..ect”) where the group is created with such letters could also cause this behavior.
Hence, kindly avoid creating groups with such special characters/letters. In case if the group names are already created with any special character or letter, request you to remove the user from this Group which has the special character and create a new Groups/permission target with a similar permission level without adding any special character in order to overcome the issue.
When the SAML user try to Login to Artifactory, at the UI level login fails with 502 bad gateway and in the logs we notice the Token verification failed errors as shown in the below.
Artifactory-service.log:
2023-06-19T08:18:24.973Z [jfrt ] [DEBUG] [055e229b7618d977] [o.a.a.s.s.SamlHandlerImpl:187 ] [tp-nio-8081-exec-844] - resolved SAML user: test1 2023-06-19T08:18:24.973Z [jfrt ] [WARN ] [055e229b7618d977] [.o.SingleSignOnServiceImpl:118] [tp-nio-8081-exec-844] - Couldn't verify token. Reason parse
Access-service.log:
2023-06-19T08:18:24.973Z [jfac ] [ERROR] [055e229b7618d977] [.j.a.s.r.s.RpcTokenResource:70] [c-default-executor-4] - Internal error while processing create or refresh token org.jfrog.access.token.exception.TokenScopeException: scope is malformed: applied-permissions/user applied-permissions/groups:readers,test-e³,test-e³-group at org.jfrog.access.util.TokenScopeUtils.scopeToList(TokenScopeUtils.java:39) at org.jfrog.access.server.service.token.TokenRequestEntityModel.toTokenSpec(TokenRequestEntityModel.java:176) at org.jfrog.access.server.service.token.TokenServiceImpl.createOrRefreshToken(TokenServiceImpl.java:214) at org.jfrog.access.server.service.token.TokenServiceImpl$$FastClassBySpringCGLIB$$325f62b5.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) at org.springframework.aop.framework.CglibAopProxy.invokeMethod(CglibAopProxy.java:386) at org.springframework.aop.framework.CglibAopProxy.access$000(CglibAopProxy.java:85) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:704)
Frontend service logs
[055e229b7618d977] [frontend-service.log] [main] - Error: error creating UI session token for user - test1 at Function.createUISessionToken [055e229b7618d977] [frontend-service.log] [main ] - Error: GRPC error - INTERNAL scope is malformed: applied-permissions/user applied-permissions/groups:test-e³,test-e³-group [frontend-service.log] [main] - error onAfterSuccessful login|| uncaughtException detected [frontend-service.log] [main ] - AuthErrorAuthenticateRequest: error onAfterSuccessful login
This issue is observed when the SAML user is associated with groups that have some special characters, causing authentication to fail. And also sometimes it is noticed that due to keyboard layout/format( German umlauts “ä, ö, ü, ß ..ect”) where the group is created with such letters could also cause this behavior.
Hence, kindly avoid creating groups with such special characters/letters. In case if the group names are already created with any special character or letter, request you to remove the user from this Group which has the special character and create a new Groups/permission target with a similar permission level without adding any special character in order to overcome the issue.