-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to get groups claim using Okta Orgs authentication server #250
Comments
Kubernetes API server does not support a userinfo endpoint to get extra claims. It is not possible to use the groups claim on Kubernetes. Unfortunately a client tool cannot help it. FYI, Kubernetes API server supports as the distributed claims (OIDC Connect Core 1.0, section 5.6.2) as kubernetes/apiserver@fad0fde. Would you check if Okta supports it? |
Hi, I asked Okta about distributed claims, and they do not support it. Thanks for your time. |
You can aggregate claims of an ID token and UserInfo by using Dex OIDC connector.
It may be worth trying the federation of Dex and Okta. |
@PrajIT3007 it is possible to expose groups claim on Okta side via https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md#expose-the-groups-claim @int128 even though I am now able to see "groups" when running test in Okta via "Token Preview" (see link above), I don't see "groups" in JWT response via also, thanks for your time on developing the plugin - it turns out to be a simple and elegant solution. |
Thank you for your information! % ./kubelogin setup --oidc-issuer-url https://dev-REDACTED.okta.com/oauth2/default --oidc-client-id REDACTED --oidc-client-secret REDACTED --oidc-extra-scope groups
authentication in progress...
## 2. Verify authentication
You got a token with the following claims:
{
"sub": "REDACTED",
"ver": 1,
"iss": "https://REDACTED.okta.com/oauth2/default",
"aud": "REDACTED",
"iat": 1592035061,
"exp": 1592038661,
"jti": "REDACTED",
"amr": [
"pwd"
],
"idp": "REDACTED",
"nonce": "qZ2T2Redgi9aTtjIgDC_k41K343xQLcLHPa8TvALh_c",
"auth_time": 1592033280,
"at_hash": "1bjSv3F3h6TEzgPNnpmSXg",
"groups": [
"Everyone",
"example"
]
} |
Thanks for the prompt response @int128 I can now use Okta groups while authenticating to K8s. It is worth updating https://github.com/int128/kubelogin/blob/master/docs/setup.md#okta as I am sure other Okta users will very much appreciate it too. |
Hi @int128, Im having the following problem, I am able to get the groups from the issuer but when I try to authenticate it still tries to use the User and not the Group, what am I missing?
|
Hi There, I am posting this if someone is facing a similar issue. If you are integrating Okta with AWS EKS and you see an error below Follow the instructions from here https://developer.okta.com/blog/2021/10/08/secure-access-to-aws-eks (Thanks to Nico Triballier and Okta team for documenting this) In my case, I forgot to set the group and username claim in the AWS EKS OIDC configuration. |
Hi,
First of all thank you for your support.
I was able to use kubelogin with Okta authentication using Okta custom Authorization Servers which is a featured of API Access Management.
Contacting Okta support I get the following info:
Is it possible to make it works using Okta Orgs authentication server?
Regards,
The text was updated successfully, but these errors were encountered: