Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-64

openid use claim as groups


      1. Proposed title of this feature request
      openid use claim as groups

      2. What is the nature and description of the request?
      kubernetes support the --oidc-groups-claim [1] parameter: JWT claim to use as the user’s group. If the claim is present it must be an array of strings.

      From doc [2] we can specify a custom claim, and I am interested if we allow the same feature as the GroupClaims:
      if specified, causes the OIDCAuthenticator to try to populate the user's, groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.

      So It would be possible to add in the master-config.yaml in apiServerArguments section :


      • role

        to benefit from kubernetes --oidc-groups-claim [1] parameter and have the user group automatically populated.
        If so, it would become not mandatory to have a separate process to synchronize groups with our Active Directory

      [1] https://v1-11.docs.kubernetes.io/docs/reference/access-authn-authz/authentication/
      [2] https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#OpenID

      3. Why does the customer need this? (List the business requirements here)
      We want to centralized in our ADFS the manner how the groups/roles are retrieved for a user, and provide them in the JWT token as claims.
      It offers better abstraction, instead of asking directly to on specific Active Directory.

            anachand Anandnatraj Chandramohan (Inactive)
            rhn-support-maupadhy Madhusudan Upadhyay
            37 Vote for this issue
            47 Start watching this issue