Groups claim isn't a flat list
BrentRose opened this issue · 4 comments
Describe the question
My OIDC provider lists my groups in the following format
"realm_access": {
"roles": [
"k8s-dev-cluster-admin",
"default-roles-mj-kubernetes",
"offline_access",
"uma_authorization"
]
},
Is it possible to tell kube-apiserver to use this in the --oidc-groups-claim attribute? Or can I just use "realm_access" and somehow reference object beneath?
I tried:
--oidc-groups-claim=realm_access
--oidc-groups-claim=realm_access.roles
Just got the idea to try
--oidc-groups-claim=realm_access.roles[]
I'll try that now but wanted to get this out here to see if anyone solved this already.
I tried --oidc-groups-claim=realm_access.roles[] which didn't help. I also tried a json pointer like --oidc-groups-claim=realm_access/roles
@BrentRose I was just trying to do the exact same thing as you were. The problem seems to be the code in the kubernetes api server - it doesn't appear to have code to handle nested objects. See https://github.com/kubernetes/apiserver/blob/0e613811b6d0e41341abffac5a2f423eeee0fbaf/plugin/pkg/authenticator/token/oidc/oidc.go#L692.
You can work around the api server limitations by changing how Keycloak presents the claim. Go to Client Scopes -> roles -> Mappers. Instead of editing the existing "realm roles" I created a new one (Add mapper button -> By configuration) and named it "realm roles flat" with all the same settings as the original except you put a backslash in front of the period for the token claim name - ie use "realm_access\.roles". If you do that the api server command line argument should be " --oidc-groups-claim=realm_access.roles". This seemed to work for me, I know it's been awhile since your OP so maybe this won't help you now.
Thanks for the suggestion @brandonp42. Unfortunately I didn't have access to update the provider. I was able to get this working by pulling in an LDAP attribute to provide the groups. I'll close out this issue for now.