Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5812

fix: Override sub with federated_claims.user_id when dex is used

XMLWordPrintable

    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Previously, ArgoCD relied solely on the `sub` claim, which could be non-deterministic when using Dex, causing RBAC policies to fail unexpectedly.

      With this update, ArgoCD now checks for user identification in the following order:
      1. First checks `federated_claims.user_id` when Dex is the identity provider
      2. Falls back to `sub` claim if federated claims are not available or empty

      This change allows RBAC policies to work with actual user identifiers (like email addresses) rather than encoded values.

      # Old way - using encoded sub value
      g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin

      # New way - using actual user identifier
      g, user@example.com, role:admin
      Show
      Previously, ArgoCD relied solely on the `sub` claim, which could be non-deterministic when using Dex, causing RBAC policies to fail unexpectedly. With this update, ArgoCD now checks for user identification in the following order: 1. First checks `federated_claims.user_id` when Dex is the identity provider 2. Falls back to `sub` claim if federated claims are not available or empty This change allows RBAC policies to work with actual user identifiers (like email addresses) rather than encoded values. # Old way - using encoded sub value g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin # New way - using actual user identifier g, user@example.com , role:admin
    • GitOps Tangerine - Sprint 3265, GitOps Tangerine - Sprint 3266, GitOps Tangerine - Sprint 3267, GitOps Tangerine - Sprint 3268, GitOps Tangerine - Sprint 3269

      Description of Problem

      Additional Info

      • <Any additional info such as logs, must-gather outputs, etc.>

      Problem Reproduction

      • <How do we reproduce the problem?>

      Reproducibility

      • <Always/Intermittent/Only Once>

      Prerequisites/Environment

      • <OpenShift, managed service (e.g., ROSA, ARO), operators, layered product, and other software versions, build details>

      Steps to Reproduce

      • ...

      Expected Results

      • ...

      Actual Results

      • ...

      Problem Analysis

      • <Completed by engineering team as part of the triage/refinement process>

      Root Cause

      • <What is the root cause of the problem? Or, why is it not a bug?>

      Workaround (If Possible)

      • <Are there any workarounds we can provide to the customers?>

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rh-ee-atali Atif Ali
              rh-ee-atali Atif Ali
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: