Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-64

openid use claim as groups

    XMLWordPrintable

Details

    Description

      1. Proposed title of this feature request
      openid use claim as groups

      2. What is the nature and description of the request?
      kubernetes support the --oidc-groups-claim [1] parameter: JWT claim to use as the user’s group. If the claim is present it must be an array of strings.

      From doc [2] we can specify a custom claim, and I am interested if we allow the same feature as the GroupClaims:
      if specified, causes the OIDCAuthenticator to try to populate the user's, groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

      So It would be possible to add in the master-config.yaml in apiServerArguments section :

      oidc-groups-claim:

      • role

        to benefit from kubernetes --oidc-groups-claim [1] parameter and have the user group automatically populated.
        If so, it would become not mandatory to have a separate process to synchronize groups with our Active Directory

      [1] https://v1-11.docs.kubernetes.io/docs/reference/access-authn-authz/authentication/
      [2] https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#OpenID

      3. Why does the customer need this? (List the business requirements here)
      We want to centralized in our ADFS the manner how the groups/roles are retrieved for a user, and provide them in the JWT token as claims.
      It offers better abstraction, instead of asking directly to on specific Active Directory.

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-8 [Auth]Consume group membership information from an identity provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users RFE-106 Automate group / membership from external IdP

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Accepted

          Activity

            People

              anachand Anandnatraj Chandramohan (Inactive)
              rhn-support-maupadhy Madhusudan Upadhyay
              Votes:
              37 Vote for this issue
              Watchers:
              47 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: