Skip to content

Fall back to decoded access token for OIDC group extraction#379

Merged
hluk merged 1 commit intorelease-engineering:masterfrom
hluk:fix-oidc-groups
Apr 7, 2026
Merged

Fall back to decoded access token for OIDC group extraction#379
hluk merged 1 commit intorelease-engineering:masterfrom
hluk:fix-oidc-groups

Conversation

@hluk
Copy link
Copy Markdown
Member

@hluk hluk commented Mar 31, 2026
edited
Loading

When authenticating via the OIDC browser login, the ID token may not
include group claims (realm_access.roles) depending on the Keycloak
mapper configuration. Decode the access token JWT as a fallback source
for OIDC claims using authlib jwt.decode with JWKS verification.

  • Skip other auth methods (e.g. Kerberos) when OIDC session is active
  • Add decoded access token as a fallback in _oidc_session_sources()
  • Use authlib jwt.decode with JWKS verification for access token decoding
  • Request 'roles' OIDC scope for Keycloak compatibility
  • Set id.token.claim=false in docker Keycloak to match production
  • Add admin user to waiverdb-users role for functional tests
  • Add Selenium functional test for browser-based OIDC group auth

Assisted-by: Claude Opus 4.6 noreply@anthropic.com
JIRA: RHELWF-13972

@hluk hluk force-pushed the fix-oidc-groups branch 3 times, most recently from c8b58e2 to f9d058a Compare March 31, 2026 13:45
@hluk hluk changed the title Fall back to session ID token for OIDC group extraction Fall back to decoded access token for OIDC group extraction Mar 31, 2026
@hluk hluk marked this pull request as draft April 1, 2026 09:59
@hluk hluk force-pushed the fix-oidc-groups branch from f9d058a to f61448c Compare April 1, 2026 11:12
@hluk hluk marked this pull request as ready for review April 1, 2026 13:29
@hluk
Copy link
Copy Markdown
Member Author

hluk commented Apr 1, 2026

Tested in dev.

@hluk hluk force-pushed the fix-oidc-groups branch from f61448c to e3bbae6 Compare April 1, 2026 13:58
@hluk hluk requested a review from mvalik April 2, 2026 06:01
@hluk
Fall back to decoded access token for OIDC group extraction
af618d3 
When authenticating via the OIDC browser login, the ID token may not
include group claims (realm_access.roles) depending on the Keycloak
mapper configuration. Decode the access token JWT as a fallback source
for OIDC claims using authlib jwt.decode with JWKS verification.

- Skip other auth methods (e.g. Kerberos) when OIDC session is active
- Add decoded access token as a fallback in _oidc_session_sources()
- Use authlib jwt.decode with JWKS verification for access token decoding
- Request 'roles' OIDC scope for Keycloak compatibility
- Set id.token.claim=false in docker Keycloak to match production
- Add admin user to waiverdb-users role for functional tests
- Add Selenium functional test for browser-based OIDC group auth

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
JIRA: RHELWF-13972
@hluk hluk force-pushed the fix-oidc-groups branch from e3bbae6 to af618d3 Compare April 2, 2026 06:13
@hluk hluk merged commit 86aa077 into release-engineering:master Apr 7, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mvalik mvalik Awaiting requested review from mvalik

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hluk