-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OIDC] Use username claimed from OIDC instead of "subiss" in the database #10797
Comments
Daniel, put this in your queue to take a look, thanks. |
@julienlefur I don't think it's a valid requirement, according to the openid spec, the sub is the unique identity of a user, if you update sub it's should be considered another user. For the same reason, once the OIDC provider's URL is changed it should also be considered another issuer, just like you cannot assume "jack smith" in google and "jack smith" in azure are the same user. If you want to them them as the same user, you must do some manual update in DB to make sure the sub and issuer map to your new OIDC provider |
@reasonerjt Thanks for your reply. Why not create an other table referencing the OIDC issuer with the URL and map the users to the issuer using an internal ID? This way, the URL (or whatever OIDC parameters) could be changed when needed. The URL is only a way to access the OIDC issuer and it can change. Concerning the "sub", I understand what you mean. However, the RFC 7519 spec says it must be unique but it can change while it remains unique. The RFC spec also says that the use of this claim is optional. In our organization, the username must be unique and this is what is identifying a user. |
I see your point, the root cause is not the I'd also like to point out the The username is even less reliable than |
@reasonerjt you're right about the RFC. My bad. But still, I'm not convinced that you need to store the We implemented the OIDC with many other tools like Kubernetes, ElasticSearch, Gitlab, Grafana and none of them stores the |
@reasonerjt No I think his sub is also changing, and issuer is changing, so both can change but he wants to discard sub from being used as part of this key to authenticate against. And using just sub wouldn't solve his problem. Is it required or recommended best practice to use this 'sub' for authentication purpose. He brings up a good point that you are essentially double checking. |
@reasonerjt Yes you can look at the kubernetes documentation concerning the OIDC configuration: https://kubernetes.io/docs/reference/access-authn-authz/authentication/ By default the JWT claim is |
I can double check k8s implementation to understand how it handles it. When Harbor get an id token in the callback it needs a way to determine if there is a user record in the DB mapping to the person associated with the id token or not. Currently it checks the Before moving away from that we need a reliable way to do the mapping I guess k8s has some way to map a claim in the token to a user. If k8s allows the claim to identify a user to change, all the relationship between a role and a user will be broken once the claim is updated, you may need to update all the rolebindings, essentially it's the same situation in Harbor, you update the DB to adjust the key to identify the users, so it maps again. @julienlefur using username maybe good for your scenario. |
The big difference is that kubernetes trusts the OIDC issuer completely. It does not store any ID or token in a database. The "User" is composed of:
If, as an administrator, I decide to set: The username for kubernetes will be: If I change the OIDC Issuer technology or URL, I can keep the same username and it will give the same role to that user because in my implementation it's the same user. This ability to customize the integration of the OIDC is very important for many companies in my opinion. This could offer to Harbor a better integration in these companies. In addition, you should always have only one oidc issuer at a time so that your issuer can ensure that the username is unique. |
I think for k8s, in your example if admin decides to update I get your point we should make the "Primary Key" of ID token configurable, but we need to be careful what will happen when this "Primary Key" changes. |
@reasonerjt In kubernetes, if the admin changes the claim he has to change all the rolebindings as well. But it's his choice and that is very important. Depending on the context, administrators can choose the way to customize the integration of Harbor: it increases the adaptivity of Harbor. |
@julienlefur were you able to get OIDC working between Gitlab and Harbor ? |
@Moulick We are not using Gitlab as OIDC Provider but Keycloak. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
bump |
Hi, I see very interesting conversation here and I would like to put my two cents. First of all, I think that using However, I do not understand the fact that If I migrate my users to a new IdP and change Harbor OIDC settings, I still would like these users to be able to onboard in Harbor. That would be great for those who leverage Harbor with OIDC groups - I hope, I am not too selfish now 👀 It would be great if Harbor provides some guideline about changing OIDC Provider and migrating Harbor users. |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
bump |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue. |
Is your feature request related to a problem? Please describe.
When login to Harbor using an OIDC Provider, the user existence is checked in the Harbor database by "subiss" which is a concatenation of the "sub" and "iss" field in the JWT token.
If the user is known, it is authenticated.
However, if the URL of the OIDC provider is modified or if the "sub" ID is renewed/changed, the user is not recognised and Harbor starts a new onboarding process for this user.
Describe the solution you'd like
The key used to retrieve the user from the database could be the username claimed from the OIDC provider. Looks like this is in progress in the PR #9311
Describe the main design/architecture of your solution
In the OIDC controller, in the callback method, instead of getting the user by "subiss", get the user by common.OIDCUserClaim so that any changes in the OIDC provider won't affect Harbor side.
harbor/src/core/controllers/oidc.go
Lines 113 to 116 in 0bc3241
In the OIDC controller, in the onboard method, instead of register the user with "subiss", register the user with his username claimed which must be unique:
harbor/src/core/controllers/oidc.go
Lines 194 to 210 in 0bc3241
The text was updated successfully, but these errors were encountered: