Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

with LDAP connect, cant get group info from token #744

Closed
keyolk opened this issue Dec 15, 2016 · 10 comments
Closed

with LDAP connect, cant get group info from token #744

keyolk opened this issue Dec 15, 2016 · 10 comments
Labels
waiting for info

Comments

@keyolk
Copy link

keyolk commented Dec 15, 2016
edited
Loading

Hi i'm trying to use dex for k8s authn/authz.
I use LDAP connector with bleow image and configuration.

below is docker image I use
image: quay.io/coreos/dex:v2.0.0-beta.1

below is my ldap connector configuration

 - type: ldap
 id: ldap
 config:
   host: openldap.kube-system.svc.cluster.io:389
   insecureNoSSL: true
   bindDN: cn=admin,dc=local,dc=io
   bindPW: admin
   userSearch:
     baseDN: ou=users,dc=local,dc=io
     filter: "(objectClass=posixAccount)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
  groupSearch:
    baseDN: ou=groups,dc=example,dc=com
    filter: "(objectClass=posixGroup)"
    userAttr: uid
    groupAttr: memberUid
    nameAttr: cn

from above
I can get token using the example-app
but the claim doesnt have any group information

Claims:

{
  "iss": "https://kube-1.local.io:30443",
  "sub": "keyolk",
  "aud": "example-app",
  "exp": 1481884152,
  "iat": 1481797752,
  "email": "keyolk@gmail.com",
  "email_verified": false,
  "name": "keyolk"
}

I can get the entry from ldap client.

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

Does anyone can inform me what I have to check more ?
I saw below, but cant understand...
#536

or is it related to examle-app ?

below is logs from example-app

{
  "issuer": "https://kube-1.local.io:30443",
  "authorization_endpoint": "https://kube-1.local.io:30443/auth",
  "token_endpoint": "https://kube-1.local.io:30443/token",
  "jwks_uri": "https://kube-1.local.io:30443/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}
@ericchiang
Copy link
Contributor

I think you're missing the extra "groups" scope.

@keyolk
Copy link
Author

keyolk commented Dec 15, 2016
edited
Loading

@ericchiang Thanks reply,
but what does it mean "missing the extra "groups" scope."
to where ?

I can get a group which matching with given uid

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

@ericchiang
Copy link
Contributor

OAuth2 scopes https://tools.ietf.org/html/rfc6749#section-4.1.1

The examples app as an "additional scopes" field you can type "groups" into.

@keyolk
Copy link
Author

keyolk commented Dec 15, 2016

@ericchiang
Oh, I see

seems I have to add additional filed to my static client.
Thanks alot

I'll close this after checking furthers.

@ericchiang
Copy link
Contributor

seems I have to add additional filed to my static client.

Can you expand on that?

Ideally we'd like to turn this into a doc requirement. E.g. "document accepted scope" or "example app needs better documentation"

@keyolk
Copy link
Author

keyolk commented Dec 15, 2016

@ericchiang
Well... sadly not done yet.
I cant find how I can set scope to example-app : (
Could you inform me something more ?
and how I can enable debug logs on dex server ?

here my dex configs

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
  namespace: kube-system
data:
  config.yaml: |
    issuer: https://kube-1.local.io:30443

    storage:
      type: kubernetes
      config:
        inCluster: true

    web:
      https: 0.0.0.0:443
      tlsCert: /etc/dex/tls/tls.crt
      tlsKey: /etc/dex/tls/tls.key

    connectors:
    - type: oidc
      id: google
      name: Google
      config:
        issuer: https://accounts.google.com
        clientID: $GOOGLE_CLIENT_ID
        clientSecret: $GOOGLE_CLIENT_SECRET
        redirectURI: https://kube-1.local.io:30443/callback
    - type: github
      id: github
      name: GitHub
      config:
        clientID: $GITHUB_CLIENT_ID
        clientSecret: $GITHUB_CLIENT_SECRET
        redirectURI: https://kube-1.local.io:30443/callback
    - type: ldap
      id: ldap
      config:
        host: openldap.kube-system.svc.cluster.io:389
        insecureNoSSL: true
        bindDN: cn=admin,dc=local,dc=io
        bindPW: admin
        userSearch:
          baseDN: ou=users,dc=local,dc=io
          filter: "(objectClass=posixAccount)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: uid
        groupSearch:
          baseDN: ou=groups,dc=example,dc=com
          filter: "(objectClass=posixGroup)"
          userAttr: uid
          groupAttr: memberUid
          nameAttr: cn

    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: example-app
      redirectURIs:
        - 'http://kube-1.local.io:30080/callback'
      name: 'Example App'
      secret: ZXhhbXBsZS1hcHAtc2VjcmV0

    enablePasswordDB: true
    staticPasswords:
    - email: "admin@example.com"

and here my logs from example-app

2016/12/15 19:44:52 GET /.well-known/openid-configuration HTTP/1.1                                                                   [23/84]
Host: kube-1.local.io:30443

2016/12/15 19:44:52 HTTP/1.1 200 OK
Content-Length: 709
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:44:52 GMT

{
  "issuer": "https://kube-1.local.io:30443",
  "authorization_endpoint": "https://kube-1.local.io:30443/auth",
  "token_endpoint": "https://kube-1.local.io:30443/token",
  "jwks_uri": "https://kube-1.local.io:30443/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}
2016/12/15 19:44:52 listening on http://0.0.0.0:80
2016/12/15 19:47:00 POST /token HTTP/1.1
Host: kube-1.local.io:30443
Authorization: Basic ZXhhbXBsZS1hcHA6WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw
Content-Type: application/x-www-form-urlencoded

client_id=example-app&code=mut4jfuzrztpbv4r23p2tnufb4&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fkube-1.local.io%3A30080%2Fcall
back
2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 806
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT

{"access_token":"xmroqflaz72apjsjxea2adreoq","token_type":"bearer","expires_in":86399,"refresh_token":"5pi3my6n3cxnzxwqght76ovcvm","id_token
":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0My
IsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3
ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblN
p2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS
_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ"}
2016/12/15 19:47:00 GET /keys HTTP/1.1
Host: kube-1.local.io:30443

2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 1032
Cache-Control: max-age=18932, must-revalidate
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "34ec10a54ea6aa0fe1445c02ebb0585ab8005b77",
      "alg": "RS256",
      "n": "2aWvVAARbcV0Lxjar_IsCjik5AfSi0Cn5YWpwEsnGSUO0iZwMhmBeuZCmlxAGZ2EABEY9kjCfXEk5VLS4RxgtjGpSwsI7UuOWGbIVrCUhw2qPLC1lxDbBKWuxFE0aHtM
MdksJMT_2Axt2MOjWJ4XfJwAwhjtj4WTd5CtFD-29zq3kFb_UCm-BEdYGvq87Kxpi2mC40EA7LqSovcblDn7ZOSVkww0dRmBf1Dp0ubauqeekbATWhoEPowLq5nm-pvpG0plxrsVEn5E
qcKBeletWZSyIBmFcpP0PJgjXXI6w60LnkTVv2N5cJ4sKe1OC9ttGgVprZmdOO0XcPSKr2qw6Q",
      "e": "AQAB"
    },
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "a9c07d84a51fa93edfc6cc5c010be12021ebfa78",
      "alg": "RS256",
      "n": "02eb_CvYVuMTeOXe0Vfx30JUIoZtgDud-Zx9QyN1uRDPJFV5gPbiqPKSZdhmAAkKzg7xwLHuKQqSxkAoStvwLHynPdN9qrNoKwwIPZ5ZI50647UhsjrMeN6_uEnghg3K
18RSwZKmNYl57nBOG5wkAjk-0XVimPhMYwOw3v6Kx8p4Xqvkdfd3G-yIP1TOCOL27O705Dswo52g6c9EhGHBjnHTyU_dGNqsOH7Dd3xlNmLd3_-DWcsxIkGv76peIfFdo5OZRNoWgp-t
eg8X99SzUbKmCSkgLnsvykE3DzhBZ8ILgoWxGtzkk2PJZL22bwbxQb-tCCAyXAxKRufqXuDW4Q",
      "e": "AQAB"
    }
  ]
}

here the token I get

Token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0MyIsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblNp2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ
Claims:

{
  "iss": "https://kube-1.local.io:30443",
  "sub": "keyolk",
  "aud": "example-app",
  "exp": 1481917620,
  "iat": 1481831220,
  "email": "keyolk@gmail.com",
  "email_verified": true,
  "name": "keyolk"
}
Refresh Token:

5pi3my6n3cxnzxwqght76ovcvm

@ericchiang
Copy link
Contributor

screenshot from 2016-12-15 13-13-07

@keyolk
Copy link
Author

keyolk commented Dec 15, 2016

@ericchiang
oh my,
why I didnt see that;

And Could you inform me how I can enable more logs ?

2016/12/15 21:24:48 Failed to login user: ldap: failed to query groups: ldap: search failed: LDAP Result Code 32 "No Such Object":

below is my group info in LDAP

# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3

version: 1

# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct

@ericchiang
Copy link
Contributor

This looks wrong.

          baseDN: ou=groups,dc=example,dc=com

Please review https://github.com/coreos/dex/blob/master/Documentation/ldap-connector.md#example-mapping-a-schema-to-a-search-config

@keyolk
Copy link
Author

keyolk commented Dec 15, 2016

@ericchiang
arghh...... how I did silly.
Thanks alot, it works.

@keyolk keyolk closed this as completed Dec 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting for info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericchiang @keyolk