How to configure user info endpoint to get the user details in implicit code flow?

[sskmail14]

Is your feature request related to a problem? Please describe.
Is there any way to get the user info with user info endpoint to show the user details in implicit code flow
Describe the solution you'd like
Am trying to show the user details as part if implicit code flow as its recommended. I have tried the below config but still didn't work. It shows me as OpenId User

    auth:
      strategy: openid
      openid:
        username_claim: "email"
        .....
        .....

Describe alternatives you've considered
Do we have any documentation on this to get the detais from user info endpoint?
Additional context
NA

[jmazzitelli]

This is a question - moving to github discussion as a "Q&A" topic.

[sskmail14]

@jmazzitelli Can I get any help on this?

[jmazzitelli]

I don't know the answer. I suppose maybe this information is in the server logs?

Hopefully someone out there knows the answer.

[xeviknal]

Hi there, I think I am missing some more context. All the description above sounds quite unrelated to kiali to me.
Where do you want to show user detail information? What is it for? Are you planning to open a PR with an enhancement?

[jmazzitelli]

Are you planning to open a PR with an enhancement?

this was an enhancement that I moved to Q&A discussion - this is more of a question of "how can I know what the user's details are?"

@israel-hdez might know

[israel-hdez]

Most of the time, I've seen that people get the needed data by adjusting requested scopes.

The token that the OpenID Server returns at authentication may not carry user's email unless requested (this depends a lot on the OpenID server config). If you want the e-mail, I think you need to request the "email" scope (which is a default if no scopes are configured in the KialiCR). So, I suggest you to double-check what scopes you have configured (if any). The problem with implicit flow is that some openid providers choose to trim down claims to provide a token that can fit in the URL (with good reason). So, there is a chance that you will need to switch to the authorization code flow to have the e-mail.

Kiali is currently not using the user info endpoint. So, it's also unaware of it. From the OpenID Spec I see the UserInfo Endpoint uses the access_token rather than the id_token. Currently, Kiali is not requesting an access_token. In case we want to implement this, the change is medium-simple (not very trivial).

Honestly, I think it's better to switch to authorization code flow for security reasons and check if this flow carries the needed data. If you need implicit flow and the id_token does not carry the needed data, I wonder if you would be open to make a code contribution for this? This change sounds technically interesting, but probably it doesn't add value to Kiali for the core team to work on it. So, we would prefer a community contribution.

I can meet with you if you are willing to contribute with this work.

[sskmail14]

@israel-hdez
My Bad :( .
Yes as mentioned by you, I missed adding the scope email, once adding that to the scope its getting the email in as part of user information. Thanks...

We have limited set of scopes to get the information. We would like to get the complete set of information. we would need the user information and do some validation like say if a user belongs to a certain groups. If not then authentication should get failed stating with appropriate message.

If there could be some provision for that would be good to have one. I can give a try on this if this feature isn't available based on my availability.

Thanks!

[israel-hdez]

If there could be some provision for that would be good to have one. I can give a try on this if this feature isn't available based on my availability.

Yes, why not?
Just make sure to think a way to make it useful for community rather than tying up to your particular environment :-) We can meet and discuss how it would work.

Feel free to contact back either here in GitHub or in Slack.