-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim #21001
Conversation
Can one of the admins verify that this patch is reasonable to test? (reply "ok to test", or if you trust the user, reply "add to whitelist") If this message is too spammy, please complain to ixdy. |
1 similar comment
Can one of the admins verify that this patch is reasonable to test? (reply "ok to test", or if you trust the user, reply "add to whitelist") If this message is too spammy, please complain to ixdy. |
Labelling this PR as size/L |
info := &user.DefaultInfo{Name: username} | ||
|
||
if a.groupsClaim != "" { | ||
groups, ok, err := claims.StringsClaim(a.groupsClaim) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this handle a missing claim? I'd expect that to result in an empty groups list, not an auth error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only error scenario is when the claim is not an array of strings.
{} // No groups claim, no error.
{"groups": ["group1", "group2"]} // Good response, no error.
{"groups": "group1"} // Malformed groups claim, this causes an error.
Idea being that if authn sees a custom groups claim, it's particular about how that claim is formatted.
We could just log an error and continue though, either way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, ok, didn't dig into StringsClaim
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah sorry it's not super obvious. I'll add a comment.
47f0925
to
92d37d5
Compare
@@ -165,6 +166,7 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) { | |||
fs.StringVar(&s.OIDCUsernameClaim, "oidc-username-claim", "sub", ""+ | |||
"The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not "+ | |||
"guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details.") | |||
fs.StringVar(&s.OIDCGroupsClaim, "oidc-groups-claim", "", "If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be an array of strings. This flag is experimental, please see the authentication documentation for further details.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I take it that Dex is going to be the only IdP that implements this at first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, sounds like Azure supports groups, from this article:
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_config_oidc_rp.html
Cool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keycloak would support this via the "group membership" client mapper as well ... Definitely worth a mention :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@erictune any chance you could lobby with Eric Sachs to have GApps support it? Right now you need to call the Directory API to obtain group membership information...
lgtm |
GCE e2e test build/test passed for commit 92d37d5. |
The author of this PR is not in the whitelist for merge, can one of the admins add the 'ok-to-merge' label? |
add to whitelist |
@k8s-merge-robot add-to-whitelist |
GCE e2e test build/test passed for commit 92d37d5. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e test build/test passed for commit 92d37d5. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e test build/test passed for commit 92d37d5. |
Automatic merge from submit-queue |
Auto commit by PR queue bot
This PR provides functionality that allows the current OpenID Connect plugin to optionally read user group membership from a custom JWT claim.
OpenID Connect permits custom claims as part of ID Tokens (document here). And this allows Kubernetes aware OpenID Connect providers to produce ID Tokens with group information.
cc: @erictune, @philips, @bobbyrullo