Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Group Claim compatibility with custom OIDC providers #19756

Open
vbob opened this issue Dec 23, 2023 · 2 comments · May be fixed by #19772
Open

Improve Group Claim compatibility with custom OIDC providers #19756

vbob opened this issue Dec 23, 2023 · 2 comments · May be fixed by #19772
Assignees
@stonezdj
Labels
area/oidc kind/requirement New feature or idea on top of harbor

Comments

@vbob
Copy link

vbob commented Dec 23, 2023
edited

A commercial SSO solution which supports OIDC returns the following JSON on the userinfo_endpoint URL:

{
  "id": "[REDACTED]",
  "name": "vitor.barth",
  "profilePictureUrl": "[REDACTED]",
  "email": "vitor.barth@[REDACTED] ",
  "sub": "[REDACTED]",
  "verified": true,
  "phoneNumber": null,
  "provider": "oidc",
  "mfaEnrolled": false,
  "metadata": null,
  "vendorMetadata": null,
  "roles": [
    {
      "id": "[REDACTED]",
      "vendorId": "[REDACTED]",
      "key": "registry",
      "name": "Registry",
      "description": null,
      "isDefault": false,
      "firstUserRole": false,
      "createdAt": "2023-12-22T19:59:23.000Z",
      "updatedAt": "2023-12-22T19:59:23.000Z",
      "permissions": [],
      "level": 0
    }
  ],
  "permissions": [],
  "createdAt": "2023-12-22T19:54:15.000Z",
  "lastLogin": "2023-12-22T23:27:11.000Z",
  "isLocked": false,
  "managedBy": "[REDACTED]"
}

where the roles tag indicates the groups which this user belongs.

However, Harbor expects the Group list to be an String Map, and throws the following error

Dec 23 00:58:32 registry core[22271]: 2023-12-23T00:58:32Z [WARNING] [/pkg/oidc/helper.go:401]: Element in group list is not string: map[createdAt:2023-12-22T19:59:23.000Z description:<nil> firstUserRole:false id:[REDACTED] isDefault:false key:registry level:0 name:Registry permissions:[] updatedAt:2023-12-22T19:59:23.000Z vendorId:[REDACTED]]

because it could not decode the group claim correctly, since it is actually a JSON.

Cause

The problem arises when /pkg/oidc/helper.go does

if remote.hasGroupClaim {
		res.Groups = remote.Groups
		res.AdminGroupMember = remote.AdminGroupMember
		res.hasGroupClaim = true
	}

so it forces the mapper to use the profile JSON returned by the provider if it has group claims. However, since the ID Token has the correct structure, it could also be used if the mapper fails as a fallback (because the user is valid).

This can be verified since when this conditional is deleted, the groups are correctly mapped using the ID Token.

Proposed Solution

When the remote.Groups fails to be parsed but the server returned the user correctly, it should fallback to the local.Groups before giving up parsing.

After a proper way of solving it is set, I can gladly implement it.
@vbob vbob changed the title Group Claim compatibility with OIDC providers Group Claim compatibility with custom OIDC providers Dec 23, 2023
@vbob vbob changed the title Group Claim compatibility with custom OIDC providers Improve Group Claim compatibility with custom OIDC providers Dec 23, 2023
@zyyw
Copy link
Contributor

zyyw commented Dec 25, 2023

cc: @stonezdj

@zyyw zyyw added the area/oidc label Dec 25, 2023
@zyyw zyyw added the kind/requirement New feature or idea on top of harbor label Dec 26, 2023
@zyyw
Copy link
Contributor

zyyw commented Dec 26, 2023

You are welcome to submit a PR regarding this issue. And thanks for your contributing in advance.

@vbob vbob linked a pull request Dec 27, 2023 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/oidc kind/requirement New feature or idea on top of harbor
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Corrects OIDC group parsing in case userinfo_endpoint is not OIDC compliant vbob/harbor
3 participants
@stonezdj @vbob @zyyw