oidc: add verbose logging that displays claim token details #97468
Assignees
Labels
A-observability-inf
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Comments
dhartunian
added
C-enhancement
cameronnunez
added a commit
to cameronnunez/cockroach
that referenced
this issue
Mar 13, 2023
Previously, matching on ID token claims was not possible if the claim key specified was the "groups" claim because the claim value is a list, not a string. With this change, matching can now occur on this claim in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: cockroachdb#97301, cockroachdb#97468 Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues.
cameronnunez
added a commit
to cameronnunez/cockroach
that referenced
this issue
Mar 14, 2023
Previously, matching on ID token claims was not possible if the claim key specified had a corresponding value that was a list, not a string. With this change, matching can now occur on claims that are list valued in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: cockroachdb#97301, cockroachdb#97468 Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues.
cameronnunez
added a commit
to cameronnunez/cockroach
that referenced
this issue
Mar 14, 2023
Previously, matching on ID token claims was not possible if the claim key specified had a corresponding value that was a list, not a string. With this change, matching can now occur on claims that are list valued in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: cockroachdb#97301, cockroachdb#97468 Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues.
cameronnunez
added a commit
to cameronnunez/cockroach
that referenced
this issue
Mar 15, 2023
Previously, matching on ID token claims was not possible if the claim key specified had a corresponding value that was a list, not a string. With this change, matching can now occur on claims that are list valued in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: cockroachdb#97301, cockroachdb#97468 Release note (enterprise change): The cluster setting `server.oidc_authentication.claim_json_key` for DB Console SSO now accepts list-valued token claims. Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues.
cameronnunez
added a commit
to cameronnunez/cockroach
that referenced
this issue
Mar 16, 2023
Previously, matching on ID token claims was not possible if the claim key specified had a corresponding value that was a list, not a string. With this change, matching can now occur on claims that are list valued in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: cockroachdb#97301, cockroachdb#97468 Release note (enterprise change): The cluster setting `server.oidc_authentication.claim_json_key` for DB Console SSO now accepts list-valued token claims. Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues.
craig bot
pushed a commit
that referenced
this issue
Mar 18, 2023
98522: ccl/oidcccl: support principal matching on list claims r=dhartunian a=cameronnunez Previously, matching on ID token claims was not possible if the claim key specified had a corresponding value that was a list, not a string. With this change, matching can now occur on claims that are list valued in order to add login capabilities to DB Console. It is important to note that this change does NOT offer the user the ability to choose between possible matches; it simply selects the first match to log the user in. This change also adds more verbose logging about ID token details. Epic: none Fixes: #97301, #97468 Release note (enterprise change): The cluster setting `server.oidc_authentication.claim_json_key` for DB Console SSO now accepts list-valued token claims. Release note (general change): Increasing the logging verbosity is more helpful with troubleshooting DB Console SSO issues. 98739: sql: simplify V23_1ExternalConnectionsTableHasOwnerIDColumn gating r=adityamaru a=andyyang890 Informs #87079 Release note: None 98892: kvcoord: Use correct timestamp when restarting range r=miretskiy a=miretskiy Recent changes to rangefeed library (#97957) introduced a silly bug (incorrect code completion/copy paste). Use correct timestamp when resuming range feed. Issue: None Epic: None Release note: None Co-authored-by: Cameron Nunez <cameron@cockroachlabs.com> Co-authored-by: Andy Yang <yang@cockroachlabs.com> Co-authored-by: Yevgeniy Miretskiy <yevgeniy@cockroachlabs.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently it is not possible to easily debug OIDC tokens in CRDB when attempting to configure SSO for DB Console.
There are two cluster settings that allow for extracting and matching a specific field in the claim token in order to match a SQL user for login.
An operator should be able to inspect the claim token fields via log messages in order to help them decide what cluster settings to use.
Jira issue: CRDB-24718
The text was updated successfully, but these errors were encountered: