Ability to get groups claim using Okta Orgs authentication server

[PrajIT3007]

Hi,

First of all thank you for your support.

I was able to use kubelogin with Okta authentication using Okta custom Authorization Servers which is a featured of API Access Management.

Contacting Okta support I get the following info:

PKCE returns both Access Token and ID Token, since you're using Okta's Org Auth Server, this causes the tokens to be 'minified', thus the reason why the groups claim is "missing".
Calling the /userinfo endpoint will return the tokens. The following documentation explains this in detail:
https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token
Thank You,

Is it possible to make it works using Okta Orgs authentication server?

Regards,

[int128]

Kubernetes API server does not support a userinfo endpoint to get extra claims. It is not possible to use the groups claim on Kubernetes. Unfortunately a client tool cannot help it.

FYI, Kubernetes API server supports as the distributed claims (OIDC Connect Core 1.0, section 5.6.2) as kubernetes/apiserver@fad0fde. Would you check if Okta supports it?

[PrajIT3007]

Hi,

I asked Okta about distributed claims, and they do not support it.

Thanks for your time.

[int128]

You can aggregate claims of an ID token and UserInfo by using Dex OIDC connector.
https://github.com/dexidp/dex/blob/master/Documentation/connectors/oidc.md

When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain all the claims requested.

It may be worth trying the federation of Dex and Okta.

[xlrd]

@PrajIT3007 it is possible to expose groups claim on Okta side via https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md#expose-the-groups-claim

@int128 even though I am now able to see "groups" when running test in Okta via "Token Preview" (see link above), I don't see "groups" in JWT response via kubelogin - would you be able to shed some light why? Wouldn't that help with "Kubernetes API server does not support a userinfo endpoint to get extra claims"?

also, thanks for your time on developing the plugin - it turns out to be a simple and elegant solution.

[int128]

Thank you for your information!
I tried the steps described in the doc and finally got groups claim. It is important to to set the issuer to https://YOUR_ORG.okta.com/oauth2/default instead of https://YOUR_ORG.okta.com.

% ./kubelogin setup --oidc-issuer-url https://dev-REDACTED.okta.com/oauth2/default --oidc-client-id REDACTED --oidc-client-secret REDACTED --oidc-extra-scope groups
authentication in progress...

## 2. Verify authentication

You got a token with the following claims:

{
  "sub": "REDACTED",
  "ver": 1,
  "iss": "https://REDACTED.okta.com/oauth2/default",
  "aud": "REDACTED",
  "iat": 1592035061,
  "exp": 1592038661,
  "jti": "REDACTED",
  "amr": [
    "pwd"
  ],
  "idp": "REDACTED",
  "nonce": "qZ2T2Redgi9aTtjIgDC_k41K343xQLcLHPa8TvALh_c",
  "auth_time": 1592033280,
  "at_hash": "1bjSv3F3h6TEzgPNnpmSXg",
  "groups": [
    "Everyone",
    "example"
  ]
}

[xlrd]

Thanks for the prompt response @int128 I can now use Okta groups while authenticating to K8s.

It is worth updating https://github.com/int128/kubelogin/blob/master/docs/setup.md#okta as I am sure other Okta users will very much appreciate it too.

[grebois]

Hi @int128, Im having the following problem, I am able to get the groups from the issuer but when I try to authenticate it still tries to use the User and not the Group, what am I missing?

❯ kubelogin setup --oidc-issuer-url https://REDACTED/oauth2/REDACTED --oidc-client-id=REDACTED --oidc-client-secret=REDACTED --oidc-extra-scope=groups

authentication in progress...

## 2. Verify authentication

You got a token with the following claims:

{
  "sub": "REDACTED",
  "ver": 1,
  "iss": "https://REDACTED.okta.com/oauth2/REDACTED",
  "aud": "REDACTED",
  "iat": 1595353409,
  "exp": 1595357009,
  "jti": "REDACTED",
  "amr": [
    "pwd"
  ],
  "idp": "REDACTED",
  "nonce": "masyGO7-REDACTED-N12rqi4",
  "auth_time": 1595351562,
  "at_hash": "MeOImAIPr3PZOzZBS-8S-A",
  "groups": [
    "Everyone",
    "G Suite",
    "squad_core",
    "Slack",
    "MFA Enabled",
    "JFrog Artifactory",
    "Jenkins Dev",
    "Datadog",
    "Jenkins Prod"
  ]
}

## 3. Bind a cluster role

Run the following command:

	kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='https://REDACTED.okta.com/oauth2/REDACTED#REDACTED'

## 4. Set up the Kubernetes API server

Add the following options to the kube-apiserver:

	--oidc-issuer-url=https://REDACTED.okta.com/oauth2/REDACTED
	--oidc-client-id=REDACTED

## 5. Set up the kubeconfig

Run the following command:

	kubectl config set-credentials oidc \
	  --exec-api-version=client.authentication.k8s.io/v1beta1 \
	  --exec-command=kubectl \
	  --exec-arg=oidc-login \
	  --exec-arg=get-token \
	  --exec-arg=--oidc-issuer-url=https://REDACTED.okta.com/oauth2/REDACTED \
	  --exec-arg=--oidc-client-id=REDACTED \
	  --exec-arg=--oidc-client-secret=REDACTED \
	  --exec-arg=--oidc-extra-scope=groups \

## 6. Verify cluster access

Make sure you can access the Kubernetes cluster.

	kubectl --user=oidc get nodes

You can switch the default context to oidc.

	kubectl config set-context --current --user=oidc

You can share the kubeconfig to your team members for on-boarding.

❯ kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --group=Everyone
clusterrolebinding.rbac.authorization.k8s.io/oidc-cluster-admin created

❯ kubectl get ClusterRoleBinding oidc-cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-07-21T17:43:54Z"
  name: oidc-cluster-admin
  resourceVersion: "3878"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/oidc-cluster-admin
  uid: 23cdd728-510f-4a6e-ac1e-b1c7510f0396
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: Everyone

❯       kubectl config set-credentials oidc \
          --exec-api-version=client.authentication.k8s.io/v1beta1 \
          --exec-command=kubectl \
          --exec-arg=oidc-login \
          --exec-arg=get-token \
          --exec-arg=--oidc-issuer-url=https://REDACTED.okta.com/oauth2/REDACTED \
          --exec-arg=--oidc-client-id=REDACTED \
          --exec-arg=--oidc-client-secret=REDACTED \
          --exec-arg=--iidc-extra-scope=groups
User "oidc" set.

❯       kubectl --user=oidc get nodes
Error from server (Forbidden): nodes is forbidden: User "https://REDACTED.okta.com/oauth2/REDACTED#REDACTED" cannot list resource "nodes" in API group "" at the cluster scope

[rajshivage]

Hi There,

I am posting this if someone is facing a similar issue.

If you are integrating Okta with AWS EKS and you see an error below
Error from server (Forbidden): nodes is forbidden: User "https://REDACTED.okta.com/oauth2/REDACTED#REDACTED" cannot list resource "nodes" in API group "" at the cluster scope

Follow the instructions from here https://developer.okta.com/blog/2021/10/08/secure-access-to-aws-eks (Thanks to Nico Triballier and Okta team for documenting this)

In my case, I forgot to set the group and username claim in the AWS EKS OIDC configuration.