You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I'd like to configure various applications (Grafana, Dex, …) to allow logging in with your Bornhack login. Most of these applications use OIDC, but it seems the /o/userinfo endpoint doesn't work.
Also, o/applications complains about OIDC_RSA_PRIVATE_KEY not being set, and there's no .well-known/openid-configuration and JWKS endopoint
Describe the solution you'd like
Have Bornhack website provide OIDC login. Provide .well-known/openid-configuration at the root, so clients can discover the different URLs used. Provide team memberships per bornhack as a custom claim in the userinfo response (probably gated on another scope).
This will make it possible to give people in certain teams certain privileges.
Describe alternatives you've considered
Only use /o/authorize and /o/token, and manually fetch user details from /profile/api/ (this is what wip-pos does do).
This however requires implementing the Bornhack Login format into every application that wants to make use of it, and I don't think I can upstream this into Grafana or Kubernetes.
Additional context
N/A
The text was updated successfully, but these errors were encountered:
I hacked together https://github.com/flokli/dex/tree/bornhack, which implements a custom Dex connector that does do the oauth dance, and then fetches group info from the custom /profile/API/ endpoint and adds it to the group claims.
It synthesizes a fake email derived from the user id, as various applications get angry if there's no email available.
Is your feature request related to a problem? Please describe.
I'd like to configure various applications (Grafana, Dex, …) to allow logging in with your Bornhack login. Most of these applications use OIDC, but it seems the
/o/userinfo
endpoint doesn't work.Also,
o/applications
complains aboutOIDC_RSA_PRIVATE_KEY
not being set, and there's no.well-known/openid-configuration
and JWKS endopointDescribe the solution you'd like
Have Bornhack website provide OIDC login. Provide
.well-known/openid-configuration
at the root, so clients can discover the different URLs used. Provide team memberships per bornhack as a custom claim in the userinfo response (probably gated on another scope).This will make it possible to give people in certain teams certain privileges.
Describe alternatives you've considered
Only use
/o/authorize
and/o/token
, and manually fetch user details from/profile/api/
(this is whatwip-pos
does do).This however requires implementing the Bornhack Login format into every application that wants to make use of it, and I don't think I can upstream this into Grafana or Kubernetes.
Additional context
N/A
The text was updated successfully, but these errors were encountered: