Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth provider OIDC not listing the groups #8715

Open
matthiasdeblock opened this issue Nov 20, 2023 · 5 comments
Open

Auth provider OIDC not listing the groups #8715

matthiasdeblock opened this issue Nov 20, 2023 · 5 comments

Comments

@matthiasdeblock
Copy link

matthiasdeblock commented Nov 20, 2023
edited

Hi

We are testing OpenID connect Auth provider but are unable to list the groups in the 'Test login'.

When looking at our access manager (ForgeRock), we noticed that there is no groups scope request. Only the following scopes are in the request to the access manager according to the AM logs:

"scope":"openid profile email"

When looking at the code (not a GO expert) I did find this (pkg/auth/authproviders/oidc/backend_impl.go):

func createBaseOAuthConfig(clientID string, clientSecret string, endpoint oauth2.Endpoint, helper *endpoint.Helper, offlineAccessSupported bool) (oauth2.Config, error) {
        baseConfig := oauth2.Config{
                ClientID:     clientID,
                ClientSecret: clientSecret,
                Endpoint:     endpoint,
                Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
        }
        if clientSecret != "" && offlineAccessSupported {
                baseConfig.Scopes = append(baseConfig.Scopes, oidc.ScopeOfflineAccess)
        }

        var err error
        baseConfig.Endpoint.AuthURL, err = helper.AdjustAuthURL(baseConfig.Endpoint.AuthURL)
        if err != nil {
                return oauth2.Config{}, err
        }
        return baseConfig, nil
}

The 'groups' isn't passed on to the Scopes variable/config. Only openid (ScopeOpenID), profile and email.

The configuration we are passing on to the API to create the AuthProvider:

{
  "name": "ForgeRock_api_test",
  "type": "oidc",
  "uiEndpoint": "central.example.com",
  "enabled": true,
  "config": {
    "client_id": "<our_client_id>",
    "client_secret": "<our_client_secret>",
    "issuer": "https://forgerock.example.com:443/poam/oauth2/",
    "mode": "auto"
  },
  "validated": false,
  "extraUiEndpoints": [],
  "active": false,
  "requiredAttributes": [],
  "traits": {
    "mutabilityMode": "ALLOW_MUTATE",
    "visibility": "VISIBLE",
    "origin": "IMPERATIVE"
  }
}

Is there something we are missing here to get the groups in the scopes?

Stackrox version: v4.3.x-199-g63837ac284

Thank you!

Regards
Matthias
@rukletsov
Copy link
Member

@matthiasdeblock groups is not a standard OIDC scope hence we don't request it. Usually it's possible to configure an IdP to include groups information into the token. Maybe you can configure ForgeRock to do that? Maybe enabling "Always Return Claims in ID Tokens" under OAuth2 Provider > Advanced OpenID Connect would work

@matthiasdeblock
Copy link
Author

matthiasdeblock commented Nov 20, 2023 via email

@porridge
Copy link
Contributor

@rukletsov any updates from your side?

@rukletsov
Copy link
Member

Yeah, it's not possible to configure the scopes today but I think we can add the possibility.

@0x656b694d
Copy link
Contributor

The issue has been registered as ROX-23628 in our system and will be addressed in accordance with our current availability, the priority level of the issue, and our ongoing project plans. We are committed to providing quality service and handling each query with the utmost importance.

While I don't have an exact timeline right now, please rest assured that we are on it. We will keep you updated on the progress and notify you as soon as we have more specific information or require further details.

Thank you for your understanding and patience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@porridge @rukletsov @matthiasdeblock @0x656b694d