I need little help with integrating Pomerium->Dex->Auth0 with groups support.
Dex config:
- type: oidc
id: auth0
name: Auth0
config:
issuer: https://<redacted>.eu.auth0.com/
clientID: <redacted>
clientSecret: <redacted>
redirectURI: https://dex.<redacted>/callback
scopes:
- openid
- profile
- email
claimMapping:
groups: 'https://example.com/claims/groups'
preferred_username: email
getUserInfo: true
Auth0 rule snippet:
function (user, context, callback) {
var namespace = 'https://example.com/claims/';
context.idToken[namespace + "groups"] = user.groups;
callback(null, user, context);
}
Pomerium config:
provider: oidc
url: https://dex.<redacted>
clientID: pomerium
clientSecret: <redacted>
scopes:
- openid
- profile
- email
- groups
policy:
- from: https://whoami.<redacted>
to: https://whoami.<redacted>
allowed_idp_claims:
groups:
- admins
Latest pomerium/pomerium:master image implements allowed_idp_claims (https://github.com/pomerium/pomerium/pull/1542)
But seems that group, nor preferred_username values are not claimed. Any idea why ?
The problem with groups is, at first glance, that to get them from a provider you need to enable insecureEnableGroups option in Dex (even using claimMapping).
Could you please provide dex logs during authentication? I feel like I am able to help you.
@nabokihms thanks.
Here is log from dex ( including insecureEnableGroups ):
{"level":"info","msg":"config storage: kubernetes","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: pomerium","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: argocd","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: gitlab","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config connector: auth0","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config connector: local passwords enabled","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config skipping approval screen","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"listening (http/telemetry) on 0.0.0.0:5558","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"listening (http) on 0.0.0.0:5556","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"login successful: connector \"auth0\", username=\"John Doe\", preferred_username=\"\", email=\"[email protected]\", groups=[]","time":"2020-10-31T17:58:06Z"}
Looks strange. On my test stand, using provided dex settings for auth0 provider, logs look like:
{"level":"info","msg":"login successful: connector \"auth0-oidc\", username=\"ma****@flant.com\", preferred_username=\"ma****@flant.com\", email=\"ma****@flant.com\", groups=[\"admins\" \"everyone\"]","time":"2020-10-31T21:51:04Z"}
The only difference I made was in the auth0 rule.
function (user, context, callback) {
var namespace = 'https://example.com/claims/';
context.idToken[namespace + "groups"] = ["admins", "everyone"];
console.log(context);
callback(null, user, context);
}
It leaves us two possible reasons:
quay.io/dexidp/dex:v2.25.0).auth0 configuration (rules, settings, etc), but I don't understand why the preferred_username claim is empty in this case.Sorry, my mistake 🤦♂️ , dex helm chart 2.15.0 does not use latest version of dex image 2.25.0, where is support in oidc connector
( https://github.com/dexidp/dex/pull/1634 ) included.
It is working ok with 2.25.0 .
Thanks !
is this issue resolved then?
Most helpful comment
Looks strange. On my test stand, using provided dex settings for auth0 provider, logs look like:
The only difference I made was in the auth0 rule.
It leaves us two possible reasons:
quay.io/dexidp/dex:v2.25.0).auth0configuration (rules, settings, etc), but I don't understand why the preferred_username claim is empty in this case.