ARTIFACTORY: Error: "Internal error while processing create or refresh token org.jfrog.access.token.exception.TokenScopeException: scope is malformed" When SAML users try to login with Artifactory

ARTIFACTORY: Error: "Internal error while processing create or refresh token org.jfrog.access.token.exception.TokenScopeException: scope is malformed" When SAML users try to login with Artifactory

AuthorFullName__c
Janardhana JL
articleNumber
000005921
ft:sourceType
Salesforce
FirstPublishedDate
2023-12-14T20:51:33Z
lastModifiedDate
2023-11-29
VersionNumber
1
Error: "Internal error while processing create or refresh token org.jfrog.access.token.exception.TokenScopeException: scope is malformed" When SAML users try to login with Artifactory.

When the SAML user try to Login to Artifactory, at the UI level login fails with 502 bad gateway and in the logs we notice the Token verification failed errors as shown in the below.

Artifactory-service.log:
2023-06-19T08:18:24.973Z [jfrt ] [DEBUG] [055e229b7618d977] [o.a.a.s.s.SamlHandlerImpl:187 ] [tp-nio-8081-exec-844] - resolved SAML user: test1

2023-06-19T08:18:24.973Z [jfrt ] [WARN ] [055e229b7618d977] [.o.SingleSignOnServiceImpl:118] [tp-nio-8081-exec-844] - Couldn't verify token. Reason parse

Access-service.log:
2023-06-19T08:18:24.973Z [jfac ] [ERROR] [055e229b7618d977] [.j.a.s.r.s.RpcTokenResource:70] [c-default-executor-4] - Internal error while processing create or refresh token
org.jfrog.access.token.exception.TokenScopeException: scope is malformed: applied-permissions/user applied-permissions/groups:readers,test-e³,test-e³-group
at org.jfrog.access.util.TokenScopeUtils.scopeToList(TokenScopeUtils.java:39)

at org.jfrog.access.server.service.token.TokenRequestEntityModel.toTokenSpec(TokenRequestEntityModel.java:176)

at org.jfrog.access.server.service.token.TokenServiceImpl.createOrRefreshToken(TokenServiceImpl.java:214)

at org.jfrog.access.server.service.token.TokenServiceImpl$$FastClassBySpringCGLIB$$325f62b5.invoke(<generated>)

at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)

at org.springframework.aop.framework.CglibAopProxy.invokeMethod(CglibAopProxy.java:386)

at org.springframework.aop.framework.CglibAopProxy.access$000(CglibAopProxy.java:85)

at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:704)

Frontend service logs
[055e229b7618d977] [frontend-service.log] [main] - Error: error creating UI session token for user - test1
    at Function.createUISessionToken 
 
[055e229b7618d977] [frontend-service.log] [main ] - Error: GRPC error - INTERNAL scope is malformed: applied-permissions/user applied-permissions/groups:test-e³,test-e³-group

[frontend-service.log] [main] - error onAfterSuccessful login||  uncaughtException detected

[frontend-service.log] [main ] - AuthErrorAuthenticateRequest: error onAfterSuccessful login

This issue is observed when the SAML user is associated with groups that have some special characters, causing authentication to fail. And also sometimes it is noticed that due to keyboard layout/format( German umlauts “ä, ö, ü, ß ..ect”) where the group is created with such letters could also cause this behavior.

Hence, kindly avoid creating groups with such special characters/letters. In case if the group names are already created with any special character or letter, request you to remove the user from this Group which has the special character and create a new Groups/permission target with a similar permission level without adding any special character in order to overcome the issue.