Skip to content
This repository was archived by the owner on May 14, 2025. It is now read-only.
This repository was archived by the owner on May 14, 2025. It is now read-only.

OAuth 2 Group Mapping Documentation is not accurate/complete/bug #5622

Open
Open
OAuth 2 Group Mapping Documentation is not accurate/complete/bug#5622
Assignees
jvalkeal
Labels
status/need-triageTeam needs to triage and take a first look
@miller79

Description

@miller79
miller79
opened on Dec 21, 2023

Description:
I attempted to deploy SCDF locally using version 25.1.3 of the Bitnami helm charts with the following configuration following the documentation and it does not seem to work as expected. I have the following configuration:

          security:
            authorization:
              provider-role-mappings:
                keycloak:
                  map-oauth-scopes: false
                  map-group-claims: true
                  group-claim: scdf-groups
                  group-mappings:
                    ROLE_VIEW: scdf-view
                    ROLE_CREATE: ROLE_CREATE
                    ROLE_DEPLOY: ROLE_DEPLOY
                    ROLE_DESTROY: ROLE_DESTROY
                    ROLE_MANAGE: ROLE_MANAGE
                    ROLE_MODIFY: ROLE_MODIFY
                    ROLE_SCHEDULE: ROLE_SCHEDULE

I mapped a custom claim with my security configuration to the scdf-groups claim with the values scdf-view and the CustomOAuth2OidcUserServer logs the following.

roleClaims: []

After looking at the code for the CustomOAuth2OidcUserServer, I realized that it looks like it only looks at the groups claim or the roles claim for values so without changing any settings just changed it to be under the groups claim and it logged the following:

roleClaims: [scdf-view]

And it worked as expected by mapping that role to the ROLE_VIEW role.

I've looked around and it looks like the only class that supports that group-claim attribute is the MappingJwtGrantedAuthoritiesConverter which doesn't appear to be called in the current flow. Am I missing a configuration somewhere that the documentation needs to be updated to reflect or is this a bug?

I can provide more details if needed but I've followed the documentation for the minimal required setup using the folowing details:

      security:
        oauth2:
          client:
            registration:
              keycloak:
                redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
                authorization-grant-type: authorization_code
                client-id: ${scdf-keycloak-client-id}
                client-secret: ${scdf-keycloak-client-secret}
                scope:
                - openid
            provider:
              keycloak:
                jwk-set-uri: {{ .Values.keycloak.baseUrl }}/auth/realms/security360/protocol/openid-connect/certs
                token-uri: {{ .Values.keycloak.baseUrl }}/auth/realms/security360/protocol/openid-connect/token
                user-info-uri: {{ .Values.keycloak.baseUrl }}/auth/realms/security360/protocol/openid-connect/userinfo
                user-name-attribute: user_name
                authorization-uri: {{ .Values.keycloak.baseUrl }}/auth/realms/security360/protocol/openid-connect/auth
          resourceserver:
            opaquetoken:
              introspection-uri: {{ .Values.keycloak.baseUrl }}/auth/realms/security360/protocol/openid-connect/token/introspect
              client-id: ${scdf-keycloak-client-id}
              client-secret: ${scdf-keycloak-client-secret}

Metadata

Metadata

Assignees

Labels

status/need-triageTeam needs to triage and take a first look

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions