https://www.ory.sh/ logo
Join Slack
Powered by
Hi, I've got an application which is using oauth2 ...
# ory-network
s
Hi, I've got an application which is using oauth2 to authorize. I'm requesting name, email and group as claims. On the ory side I've configured the proper data-mapping within the social-connector for gmail and also created a proper identity. Within my identity I can see that the raw data ist set properly (email, group and name was set properly. When trying to login to the application the first time (consent-screen was shown). I can login. So it seems that the mail was set properly. The name and the group was missing. At the second try to login (when I checked remember settings on the consent screen) on the same app even the mail wasn't provided. Do I miss some configuration for mapping the group and the name to be provided when requesting these claims?
m
Within my identity I can see that the raw data ist set properly (email, group and name was set properly.
It seems the data is mapping correctly. Can you share your Jsonnet for mapping the data and maybe a redacted example identity from your setup?
The name and the group was missing.
What do you mean by that, missing from where? I thought it already got added to the identity in the OIDC step?
s
Hi Vincent, that's my: 
local claims = {
email_verified: false,
group: 'admin'
} + std.extVar('claims');
{
identity: {
traits: {
name: claims.name,
group: claims.group,
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
},
},
}
the raw data:
Copy code
{
  "email": "my@mail.address",
  "group": "admin",
  "name": "My Name"
}
What I mean with there is no name or group: If I try to login and I haven't approved the consent: I can login. But name and group aren't set. The app didn't find the claims in the response. It shows the provided claims in the logs, and there are no group or name.
m
You are integrating Google OIDC right? What scopes did you set for it? https://developers.google.com/identity/protocols/oauth2/scopes
s
No, itโ€˜s GitHub. The scopes are user:email and read:org
m
I think you need different scopes for the name and group. group is org?
s
No, group is statically set in the data mappings. Email and Name is provided by user:email as of the sources of your GitHub implementation. I think this works. The identity ist provided with the proper Information as I can see. the problem must be later when giving the claims from ory to my apps
I've got a further look into it. Within the reply of the /oauth/token endpoint I only get the email: and the email_validated: claims. Not the ones for group and name. Is there some kind of configuration to map the traits to the requested claims? I haven't found anything.
The responded idtoken contains:
Copy code
{
  "amr": [
    "oidc"
  ],
  "at_hash": "<redacted>",
  "aud": [
    "<redacted>"
  ],
  "auth_time": 1671446424,
  "email": "my@mail.address",
  "email_verified": true,
  "exp": 1671695459,
  "iat": 1671691859,
  "iss": "https://<redacted>",
  "jti": "<redacted>",
  "nonce": "<redacted>",
  "rat": <redacted>,
  "sid": "<redacted>",
  "sub": "<redacted>"
}
But I would expect something like:
Copy code
{
  ...
  "email": "my@mail.address",
  "email_verified": true,
  "group": "<group>",
  "name": "My Name",
  ...
}
I've read this posts https://community.ory.sh/t/role-as-claims-in-id-token/2359/5 where another user was trying to achive this. There was only a hint to use oathkeeper and no further answers. But that's not what I wanted to do. I have several applications which does the authorization based on the information which are provided by the oauth authentication. As such an oathkeeper would allow access to the apps but I have to change all these apps, which are thirdparty apps. (Harbor, PGadmin, ArgoCD, Kiali... etc). I think the impact to change them was much more than I would like to do for a seamless integration. Actually I've planned to replace dex with ory because I would like to centralize most of the authentication in ory, replacing dex was a first (and I thought a small step) but it takes me days for a simple task. Harbor for example relies on a claim for identification of admins. (which was in my case group) but that seems a huge burden. ๐Ÿ˜ž So, if it's not possible to do this right now, please let me know, so I can stop further investigations
m
Are your apps browser or native? The user is authenticating at the app and then gets authorizations through data in the identity schema, did I get that right? something like
Copy code
"metadata_admin": {
      "groups": {
        "type": "string",
        "title": "Group",
        "default": "base",
      }
    }
The basis is basically this model: https://www.ory.sh/docs/security-model It would help to know more about your apps in order to say if this is possible. The integration is with lets say ArgoCd as example, like so: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider ?
s
As of now, I can say that all three applications (ArgoCD, Harbor and PgAdmin4) behave the same, they can't get the "group" claim. They're all no SPAs, their backends do the authentication stuff. ๐Ÿ™‚ I've also tried to have a look into the authentication with postman. And it's also showing that there is no "group" claim/scope in the id_token, where all of them expected it to see. How can I get the "group" into the id_token. I don't think that's not an unusual use-case.
All of the Applications are Browser-Based. They're no SPAs, the authentication is handled by their backends.
After a few further hours investigating how this can be achived, I'll give up and go back to dex. For the other apps ory might be a way to go but this I'll check when it's time. Thanks for your help.
6 Views
Open in Slack
PreviousNext
Powered by