allow non-string values (and arrays) in claim_mappings #109
Comments
|
so, looking through the code - bearing in mind I haven't written a single line of go ... - I think that this function is where the problem happens. if we were to change to just
|
|
To cast an object to a string in GO I've always used string(value) and that works. So you could write that simply by writing var strValue = string(value) and that should work. |
|
My workaround for this was to go way overboard with json pointers using a test role. I've pasted an example config json that I used to inspect what groups were actually in the groups claim from the okta identity provider. It has a number of limitations and I wouldn't recommend implementing this pattern in production as it doesn't scale, but it might help someone doing some troubleshooting. {
"allowed_redirect_uris": [
"https://example.com/ui/vault/auth/oidc_jwt_mount_path/oidc/callback",
"http://localhost:8250/oidc/callback"
],
"bound_audiences": [
"audience_string_redacted"
],
"bound_claims": null,
"bound_claims_type": "string",
"bound_subject": "",
"claim_mappings": {
"profile": "okt_profile",
"email": "okt_email",
"openid": "okt_openid",
"/groups/0": "okt_groups_0",
"/groups/1": "okt_groups_1",
"/groups/2": "okt_groups_2",
"/groups/3": "okt_groups_3",
"/groups/4": "okt_groups_4",
"/groups/5": "okt_groups_5",
"/groups/6": "okt_groups_6",
"/groups/7": "okt_groups_7",
"/groups/8": "okt_groups_8",
"/groups/9": "okt_groups_9",
"/groups/10": "okt_groups_10",
"/groups/11": "okt_groups_11",
...snip...
"/groups/50": "okt_groups_50"
},
"clock_skew_leeway": 0,
"expiration_leeway": 0,
"groups_claim": "groups",
"not_before_leeway": 0,
"oidc_scopes": [
"profile email openid groups"
],
"policies": [
"default"
],
"role_type": "oidc",
"token_bound_cidrs": [],
"token_explicit_max_ttl": 0,
"token_max_ttl": 0,
"token_no_default_policy": false,
"token_num_uses": 0,
"token_period": 0,
"token_policies": [
"default"
],
"token_ttl": 0,
"token_type": "default",
"user_claim": "sub",
"verbose_oidc_logging": false
} |
I was asked to raise an issue here following a conversation in google groups.
I'm using 1.4, and have Azure OIDC authentication working. However, I cannot have any claim that is a non-string
so, for example , part of the returned jwt from azure has this
iat": 1587560836,
"nbf": 1587560836,
"exp": 1587564736,
"acct": 0,
"auth_time": 1587541385,
"email": "julian@nodeable.io",
and I wanted to store "exp" as part of the entity alias metadata . if I include {"exp":"exp"} as part of the claims_mapping, the authentication fails with
"error converting claim 'exp' to string"
IOW, any non-string claim can't be assigned in the claims_mapping option
The other problem as I mentioned was that I wanted to get the azure user groups of the user into the entity alias. Azure returns the groups as
groups: ["group1","group2"]
and again, if I try to put a {groups:groups} claim in the claims_mapping vault borks with a
"error converting claim 'groups' to string"
is there any template magic than can be applied to the claims_mapping or is it a limitation of vault ?
The text was updated successfully, but these errors were encountered: