plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim #21001
Conversation
|
Can one of the admins verify that this patch is reasonable to test? (reply "ok to test", or if you trust the user, reply "add to whitelist") If this message is too spammy, please complain to ixdy. |
1 similar comment
|
Can one of the admins verify that this patch is reasonable to test? (reply "ok to test", or if you trust the user, reply "add to whitelist") If this message is too spammy, please complain to ixdy. |
|
Labelling this PR as size/L |
k8s-github-robot
added
the
size/L
| info := &user.DefaultInfo{Name: username} | ||
|
|
||
| if a.groupsClaim != "" { | ||
| groups, ok, err := claims.StringsClaim(a.groupsClaim) |
There was a problem hiding this comment.
how does this handle a missing claim? I'd expect that to result in an empty groups list, not an auth error
There was a problem hiding this comment.
The only error scenario is when the claim is not an array of strings.
{} // No groups claim, no error.
{"groups": ["group1", "group2"]} // Good response, no error.
{"groups": "group1"} // Malformed groups claim, this causes an error.
Idea being that if authn sees a custom groups claim, it's particular about how that claim is formatted.
We could just log an error and continue though, either way.
There was a problem hiding this comment.
ah, ok, didn't dig into StringsClaim
There was a problem hiding this comment.
Yeah sorry it's not super obvious. I'll add a comment.
ericchiang
force-pushed
the
oidc_groups
branch
from
47f0925
to
92d37d5
Compare
| @@ -165,6 +166,7 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&s.OIDCUsernameClaim, "oidc-username-claim", "sub", ""+ | |||
| "The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not "+ | |||
| "guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details.") | |||
| fs.StringVar(&s.OIDCGroupsClaim, "oidc-groups-claim", "", "If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be an array of strings. This flag is experimental, please see the authentication documentation for further details.") | |||
There was a problem hiding this comment.
I take it that Dex is going to be the only IdP that implements this at first?
There was a problem hiding this comment.
Oh, sounds like Azure supports groups, from this article:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_config_oidc_rp.html
Cool.
There was a problem hiding this comment.
Keycloak would support this via the "group membership" client mapper as well ... Definitely worth a mention :-)
There was a problem hiding this comment.
@erictune any chance you could lobby with Eric Sachs to have GApps support it? Right now you need to call the Directory API to obtain group membership information...
|
lgtm |
erictune
added
the
lgtm
|
GCE e2e test build/test passed for commit 92d37d5. |
|
The author of this PR is not in the whitelist for merge, can one of the admins add the 'ok-to-merge' label? |
|
add to whitelist |
|
@k8s-merge-robot add-to-whitelist |
|
GCE e2e test build/test passed for commit 92d37d5. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e test build/test passed for commit 92d37d5. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e test build/test passed for commit 92d37d5. |
|
Automatic merge from submit-queue |
Auto commit by PR queue bot
erictune
added
the
release-note
This PR provides functionality that allows the current OpenID Connect plugin to optionally read user group membership from a custom JWT claim.
OpenID Connect permits custom claims as part of ID Tokens (document here). And this allows Kubernetes aware OpenID Connect providers to produce ID Tokens with group information.
cc: @erictune, @philips, @bobbyrullo