-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth provider OIDC not listing the groups #8715
Comments
@matthiasdeblock |
Hi
The id token does have the groups information. Our other apps, for example
Argocd, are working with the groups in the id token. They receive the
groups as they ask for it. Stackrox does not ask for it so it does not
receive it.
Is it possible to configure the scopes?
Thanks!
Regards
Matthias
…On Mon, Nov 20, 2023, 8:55 PM Alex Rukletsov ***@***.***> wrote:
@matthiasdeblock <https://github.com/matthiasdeblock> groups is not a
standard OIDC scope hence we don't request it. Usually it's possible to
configure an IdP to include groups information into the token. Maybe you
can configure ForgeRock to do that? Maybe enabling "Always Return Claims in
ID Tokens" under OAuth2 Provider > Advanced OpenID Connect would work
—
Reply to this email directly, view it on GitHub
<#8715 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADR3RHDD3VUHHNZSQ2JSQP3YFOYRLAVCNFSM6AAAAAA7S2EPBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJZG4YDIOBZGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@rukletsov any updates from your side? |
Yeah, it's not possible to configure the scopes today but I think we can add the possibility. |
The issue has been registered as ROX-23628 in our system and will be addressed in accordance with our current availability, the priority level of the issue, and our ongoing project plans. We are committed to providing quality service and handling each query with the utmost importance. While I don't have an exact timeline right now, please rest assured that we are on it. We will keep you updated on the progress and notify you as soon as we have more specific information or require further details. Thank you for your understanding and patience. |
Hi
We are testing OpenID connect Auth provider but are unable to list the groups in the 'Test login'.
When looking at our access manager (ForgeRock), we noticed that there is no groups scope request. Only the following scopes are in the request to the access manager according to the AM logs:
When looking at the code (not a GO expert) I did find this (pkg/auth/authproviders/oidc/backend_impl.go):
The 'groups' isn't passed on to the Scopes variable/config. Only openid (ScopeOpenID), profile and email.
The configuration we are passing on to the API to create the AuthProvider:
Is there something we are missing here to get the groups in the scopes?
Stackrox version: v4.3.x-199-g63837ac284
Thank you!
Regards
Matthias
The text was updated successfully, but these errors were encountered: