Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable USERID_CLAIM of AuthService to control header's value #99

Closed
kimwnasptd opened this issue Aug 4, 2023 · 3 comments · Fixed by #109
Closed

Configurable USERID_CLAIM of AuthService to control header's value #99

kimwnasptd opened this issue Aug 4, 2023 · 3 comments · Fixed by #109

Comments

@kimwnasptd
Copy link
Contributor

kimwnasptd commented Aug 4, 2023
edited
Loading

Right now AuthService is putting the value of the email claim, of the ID_Token it gets from the OIDC Provider, to the kubeflow-userid header.

We've seen cases where users might need to be able to use a different claim (i.e. the name), from the id_token, to use as the user identifier. This can be configured in the upstream AuthService app by setting the USERID_CLAIM env variable

To handle these use cases we should allow users to use juju config to modify this env var
@kimwnasptd
Copy link
Contributor Author

Some more context also on the AuthService's code flow:

  1. When a AuthService first authenticates it stores in a session the userID, id_token and other info https://github.com/arrikto/oidc-authservice/blob/0c4ea9aa5e962c7f946c1acb65cfae3b0f604817/server.go#L418-L422
  2. Once it gets a request it will check if it's authenticated https://github.com/arrikto/oidc-authservice/blob/0c4ea9aa5e962c7f946c1acb65cfae3b0f604817/server.go#L74
  3. The session authenticator (non K8s SA token case) will return the stored userID https://github.com/arrikto/oidc-authservice/blob/0c4ea9aa5e962c7f946c1acb65cfae3b0f604817/authenticators/session.go#L107
  4. The AuthService will set this userID to the header https://github.com/arrikto/oidc-authservice/blob/0c4ea9aa5e962c7f946c1acb65cfae3b0f604817/server.go#L103

@NohaIhab NohaIhab mentioned this issue Sep 7, 2023
Merged
@NohaIhab
Copy link
Contributor

NohaIhab commented Sep 11, 2023
edited
Loading

Added a config for this option in #109
In the case that CKF user has already logged in for the first time, for this change to take effect after changing the config, CKF users can do one of the following:

  1. delete the oidc pod so that it restarts and logs out all users from the authentication provider (dex)
  2. log out the current user, delete the cookie in the browser, and log in again. From this point, the change will be effective for other users as well.

This process should be part of the CKF documentation.
This comment is a brief summary to base the documentation on.

@Barteus
Copy link

Barteus commented Sep 18, 2023

With the above configuration, there is an issue when adding a new collaborator in the Kubeflow Dashboard to the namespace. It is not possible because UI requires that the user is added via email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
MLOps Solution Issues
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add config for USERID_CLAIM env var canonical/oidc-gatekeeper-operator
3 participants
@kimwnasptd @Barteus @NohaIhab