Dex: with LDAP connect, cant get group info from token

Created on 15 Dec 2016  路  10Comments  路  Source: dexidp/dex

Hi i'm trying to use dex for k8s authn/authz.
I use LDAP connector with bleow image and configuration.

below is docker image I use
image: quay.io/coreos/dex:v2.0.0-beta.1

below is my ldap connector configuration

 - type: ldap
 id: ldap
 config:
   host: openldap.kube-system.svc.cluster.io:389
   insecureNoSSL: true
   bindDN: cn=admin,dc=local,dc=io
   bindPW: admin
   userSearch:
     baseDN: ou=users,dc=local,dc=io
     filter: "(objectClass=posixAccount)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
  groupSearch:
    baseDN: ou=groups,dc=example,dc=com
    filter: "(objectClass=posixGroup)"
    userAttr: uid
    groupAttr: memberUid
    nameAttr: cn

from above
I can get token using the example-app
but the claim doesnt have any group information

Claims:

{
  "iss": "https://kube-1.local.io:30443",
  "sub": "keyolk",
  "aud": "example-app",
  "exp": 1481884152,
  "iat": 1481797752,
  "email": "[email protected]",
  "email_verified": false,
  "name": "keyolk"
}

I can get the entry from ldap client.

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

Does anyone can inform me what I have to check more ?
I saw below, but cant understand...
https://github.com/coreos/dex/issues/536

or is it related to examle-app ?

below is logs from example-app

{
  "issuer": "https://kube-1.local.io:30443",
  "authorization_endpoint": "https://kube-1.local.io:30443/auth",
  "token_endpoint": "https://kube-1.local.io:30443/token",
  "jwks_uri": "https://kube-1.local.io:30443/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}
waiting for info

Most helpful comment

screenshot from 2016-12-15 13-13-07

All 10 comments

I think you're missing the extra "groups" scope.

@ericchiang Thanks reply,
but what does it mean "missing the extra "groups" scope."
to where ?

I can get a group which matching with given uid

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

OAuth2 scopes https://tools.ietf.org/html/rfc6749#section-4.1.1

The examples app as an "additional scopes" field you can type "groups" into.

@ericchiang
Oh, I see

seems I have to add additional filed to my static client.
Thanks alot

I'll close this after checking furthers.

seems I have to add additional filed to my static client.

Can you expand on that?

Ideally we'd like to turn this into a doc requirement. E.g. "document accepted scope" or "example app needs better documentation"

@ericchiang
Well... sadly not done yet.
I cant find how I can set scope to example-app : (
Could you inform me something more ?
and how I can enable debug logs on dex server ?

here my dex configs

kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
  namespace: kube-system
data:
  config.yaml: |
    issuer: https://kube-1.local.io:30443

    storage:
      type: kubernetes
      config:
        inCluster: true

    web:
      https: 0.0.0.0:443
      tlsCert: /etc/dex/tls/tls.crt
      tlsKey: /etc/dex/tls/tls.key

    connectors:
    - type: oidc
      id: google
      name: Google
      config:
        issuer: https://accounts.google.com
        clientID: $GOOGLE_CLIENT_ID
        clientSecret: $GOOGLE_CLIENT_SECRET
        redirectURI: https://kube-1.local.io:30443/callback
    - type: github
      id: github
      name: GitHub
      config:
        clientID: $GITHUB_CLIENT_ID
        clientSecret: $GITHUB_CLIENT_SECRET
        redirectURI: https://kube-1.local.io:30443/callback
    - type: ldap
      id: ldap
      config:
        host: openldap.kube-system.svc.cluster.io:389
        insecureNoSSL: true
        bindDN: cn=admin,dc=local,dc=io
        bindPW: admin
        userSearch:
          baseDN: ou=users,dc=local,dc=io
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: uid
        groupSearch:
          baseDN: ou=groups,dc=example,dc=com
          filter: "(objectClass=posixGroup)"
          userAttr: uid
          groupAttr: memberUid
          nameAttr: cn

    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: example-app
      redirectURIs:
        - 'http://kube-1.local.io:30080/callback'
      name: 'Example App'
      secret: ZXhhbXBsZS1hcHAtc2VjcmV0

    enablePasswordDB: true
    staticPasswords:
    - email: "[email protected]"

and here my logs from example-app

2016/12/15 19:44:52 GET /.well-known/openid-configuration HTTP/1.1                                                                   [23/84]
Host: kube-1.local.io:30443

2016/12/15 19:44:52 HTTP/1.1 200 OK
Content-Length: 709
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:44:52 GMT

{
  "issuer": "https://kube-1.local.io:30443",
  "authorization_endpoint": "https://kube-1.local.io:30443/auth",
  "token_endpoint": "https://kube-1.local.io:30443/token",
  "jwks_uri": "https://kube-1.local.io:30443/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}
2016/12/15 19:44:52 listening on http://0.0.0.0:80
2016/12/15 19:47:00 POST /token HTTP/1.1
Host: kube-1.local.io:30443
Authorization: Basic ZXhhbXBsZS1hcHA6WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw
Content-Type: application/x-www-form-urlencoded

client_id=example-app&code=mut4jfuzrztpbv4r23p2tnufb4&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fkube-1.local.io%3A30080%2Fcall
back
2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 806
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT

{"access_token":"xmroqflaz72apjsjxea2adreoq","token_type":"bearer","expires_in":86399,"refresh_token":"5pi3my6n3cxnzxwqght76ovcvm","id_token
":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0My
IsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3
ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblN
p2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS
_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ"}
2016/12/15 19:47:00 GET /keys HTTP/1.1
Host: kube-1.local.io:30443

2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 1032
Cache-Control: max-age=18932, must-revalidate
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "34ec10a54ea6aa0fe1445c02ebb0585ab8005b77",
      "alg": "RS256",
      "n": "2aWvVAARbcV0Lxjar_IsCjik5AfSi0Cn5YWpwEsnGSUO0iZwMhmBeuZCmlxAGZ2EABEY9kjCfXEk5VLS4RxgtjGpSwsI7UuOWGbIVrCUhw2qPLC1lxDbBKWuxFE0aHtM
MdksJMT_2Axt2MOjWJ4XfJwAwhjtj4WTd5CtFD-29zq3kFb_UCm-BEdYGvq87Kxpi2mC40EA7LqSovcblDn7ZOSVkww0dRmBf1Dp0ubauqeekbATWhoEPowLq5nm-pvpG0plxrsVEn5E
qcKBeletWZSyIBmFcpP0PJgjXXI6w60LnkTVv2N5cJ4sKe1OC9ttGgVprZmdOO0XcPSKr2qw6Q",
      "e": "AQAB"
    },
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "a9c07d84a51fa93edfc6cc5c010be12021ebfa78",
      "alg": "RS256",
      "n": "02eb_CvYVuMTeOXe0Vfx30JUIoZtgDud-Zx9QyN1uRDPJFV5gPbiqPKSZdhmAAkKzg7xwLHuKQqSxkAoStvwLHynPdN9qrNoKwwIPZ5ZI50647UhsjrMeN6_uEnghg3K
18RSwZKmNYl57nBOG5wkAjk-0XVimPhMYwOw3v6Kx8p4Xqvkdfd3G-yIP1TOCOL27O705Dswo52g6c9EhGHBjnHTyU_dGNqsOH7Dd3xlNmLd3_-DWcsxIkGv76peIfFdo5OZRNoWgp-t
eg8X99SzUbKmCSkgLnsvykE3DzhBZ8ILgoWxGtzkk2PJZL22bwbxQb-tCCAyXAxKRufqXuDW4Q",
      "e": "AQAB"
    }
  ]
}

here the token I get

Token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0MyIsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblNp2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ
Claims:

{
  "iss": "https://kube-1.local.io:30443",
  "sub": "keyolk",
  "aud": "example-app",
  "exp": 1481917620,
  "iat": 1481831220,
  "email": "[email protected]",
  "email_verified": true,
  "name": "keyolk"
}
Refresh Token:

5pi3my6n3cxnzxwqght76ovcvm

screenshot from 2016-12-15 13-13-07

@ericchiang
oh my,
why I didnt see that;

And Could you inform me how I can enable more logs ?

2016/12/15 21:24:48 Failed to login user: ldap: failed to query groups: ldap: search failed: LDAP Result Code 32 "No Such Object":

below is my group info in LDAP

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

This looks wrong.

          baseDN: ou=groups,dc=example,dc=com

Please review https://github.com/coreos/dex/blob/master/Documentation/ldap-connector.md#example-mapping-a-schema-to-a-search-config

@ericchiang
arghh...... how I did silly.
Thanks alot, it works.

Was this page helpful?
0 / 5 - 0 ratings