oidc auth provider does not support role mapping rules using custom keys

[ghoff]

Roles can be mapped to oidc users based on claims. While the rules allow setting arbitrary claims, the oidc implementation only allows a fixed set. I would have used the Groups claim but Auth0 restricts setting that claim. Digging into the code I found that backend_impl.go limits my choices to name, email, sub, groups, account_id and, as a boolean, is_org_admin. And, while the ACS documentation notes that sub is mapped to userid, it makes no mention that account_id is mapped to orgid. I was able to meet my need by creating an account_id claim and a rule matching value stored in orgid to a role, but that was not at all obvious.

The best case may be fully supporting custom claims within the oidc provider. If not, then restricting rules to allowed claims would be helpful, and if not that, then please document the limitations.

[ivan-degtiarenko]

The way the ACS OIDC provider works is that it takes claims token from the underlying IdP and adds them to ACS-issued token.
By default, only the aforementioned claims(name, email, sub, groups) are added. However, there is an ability to add custom claim mappings which will transform IdP token claim to an ACS-issued token claim. You can find documentation here: doc

There are two ways to add these claim mappings to auth provider:

1. By using auth provider API
2. Starting with 4.1, you could leverage declarative config functionality that will allow you to create auth resources via k8s ConfigMap/Secret.

At the moment you can't add claim mappings via auth provider UI, however, it is on our roadmap.

[rukletsov]

@ghoff, the upcoming 4.5.0 version will also have the UI for the mapping functionality.