Sitecore Identity - Sticky Virtual User Properties Issue

-

 I recently came across an issue with our CMS users getting elevated access permissions even after they were moved to a lower-level role. We use OKTA as our identity provider and use federated authentication to integrate Sitecore with OKTA for staff login. The OKTA group memberships are mapped to Sitecore roles using claims mapping to manage user roles in Sitecore. This was working fine for a long time until recently when we started noticing changing user roles in OKTA have no impact on the user permissions in Sitecore.

I started troubleshooting by monitoring the network traffic during the login redirect, capturing the JWT token to inspect the claims we are receiving from OKTA. Once the user's group membership in OKTA has changed, I can see the new groups values in the claims. So, the issue has to be on the Sitecore end with claims to roles mapping. After further investigating into the code which hasn't changed in months, I looked into what else has changed. We did upgrade our Sitecore version (and Identity server) a couple of times since the federated authentication was implemented. I looked into the release notes for any changes related to this functionality but that was a dead end.

In the meantime, we had to do a deployment and noticed that the new roles and permissions started reflecting post deployment. After being able to reproduce the same behaviour in my local dev environment I was able to conclude there is some kind of user profile caching going on at Sitecore end for the virtual users that's causing this and the only solution at the moment is to do an application restart which confirms why a deployment fixed the issue.

I logged a support ticket with Sitecore to investigate this. Sitecore suggested to try setting the Caching.DefaultClientDataCacheSize value to 0 to see if that resolves the issue. Changing the setting value to 0 did work. The new user roles and permissions started reflecting as soon as the user logged out of their current session and log back into a new session (should be a new browser session). Sitecore introduced UserRuntimeSettingsCache  in 10.2.1 prerelease. The UserRuntimeSettingsCache  is initialised as a service in the “Sitecore.DependencyInjection.DefaultSitecoreServicesConfigurator” class which makes it impossible to override using a config setting.

Sitecore confirmed this is a bug and working on a hotfix. If you are on Sitecore 10.2 or above and facing similar issues (you may want to check as this is not obvious to notice) contact Sitecore support and quote the bug reference number 594651 to request a hotfix for your Sitecore version.

For more information about public reference numbers can be found here: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0853187


Update: Sitecore has provided a fix for this issue through a platform pre-release which can be found here: Sitecore 10.2.2 rev. 009719 PRE. Do note that this only applues to Sitecore 10.2 version and you need to upgrade to 10.2.1 version first before you can apply this pre-release.

Comments

Post a Comment

Popular posts from this blog

SXA Scriban extension to get link field target URL

-
Scriban is the new templating language which was introduced in Sitecore 9.3, it replaces the obsolete NVelocity templates in the earlier versions. If you are upgrading from earlier versions of Sitecore and used a lot of NVelocity templates, you need to convert all your NVelocity templates to Scriban as NVelocity is no longer supported in Sitecore 9.3. Scriban is a powerful language with support to import your own .Net functions. Sitecore provides a rich set of Scriban extensions to use which meets most of the common requirements. You can find more about the out of the box Sitecore Scriban extensions here . While using Scriban to create custom markup which can't be achieved through other Rendering Variant fields I came across a requirement to wrap a section of HTML with an anchor tag targeting to an URL set in a link field in the template. In SXA we would set the link target field on the Rendering Variant and set the Is Link property value of the Rendering Variant field to W
Read more

How to ace your Sitecore .Net Developer 10 Certification Exam

-
Image
  I have been a Sitecore developer for five years and worked on various Sitecore projects, yet every time I take the certification exam it makes me nervous. From my conversations with the other Sitecore developers I worked with, even the most experienced Sitecore developers are nervous about failing the certification exam. They try to avoid taking the exam unless absolutely necessary. A few reasons for this could be, The exam is too expensive to fail. Most employers will only reimburse the fee for successful certification attempts. The score required to pass the exam is quite high (80%) compared to your academic exams.  The Sitecore training modules for exam competencies can be expensive. Not everyone gets a chance to work on the latest version of Sitecore. The exam competencies include areas of Sitecore you never had a chance to work on. In this blog post I will share my most recent experience of preparing and successfully completing the Sitecore .NET 10 Developer certification exam.
Read more

View and download Sitecore log files using Log Viewer

-
Image
As a Sitecore developer you would want to regularly monitor the log files for recurring errors and warnings and keep them clean. I am quite used to downloading my log files and running the tools like Sitecore Log Analyzer to filter and group errors and warnings.  As we started to productionise our website and apply the security hardening best practices, I ended up losing access to the logs folder and admin pages. To complicate the things further we started using containers to host our Sitecore instance with zero access to file system for developers, even when it is needed for troubleshooting issues.  The only way I could access the logs was using AWS Log Insights which gives you a stream of events without any option to download the full log file. It is especially difficult to troubleshoot issues when you need to correlate events from multiple logs which means you need to look for events across multiple log streams and try to put together the jigsaw puzzle to see the full picture. This
Read more