hostedDomains OIDC Rejects Everything

Question

hostedDomains OIDC Rejects Everything

ikegentz opened this issue 3 years ago · 0 comments

We are attempting to get Concourse working via OIDC so our team can log into it using their Google accounts. This is working, however we then attempted to restrict the domain to only be our organization via the following setting:

        oidc:
          enabled: true

          displayName: "Google"

          hostedDomains:
            - "*********.com
          
          issuer: "https://accounts.google.com"

          userNameKey: email

we get the error unexpected hd claim ***********.com

I can confirm that this is indeed setting the correct environment variable in the web pod:

kubectl describe pod -n concourse <pod ID>

      CONCOURSE_OIDC_HOSTED_DOMAINS:                      [<*********>.com]

I have experimented with wildcards as well, such as simply doing this:

...
        hostedDomains:
        - "*"
...

However whenever signing in, no matter what value is set for hostedDomains we get this error:

unexpected hd claim ***********.com

We have browsed through the Dex Code that appears to handle this, and it looks like a simple string comparison, not sure how this could not be working unless I am possibly missing another setting?

Thanks.