CODEWITHSUNDEEP
openshiftauth0openshift-origin
Brown1
Brown1

Reputation: 1

Openshift Open ID Identity Provider with lookup mapping method

I'm using an OpenIDIdentityProvider with mappingMethod: claim to authenticate admin users in the Openshift admin console. I'm using the auth0 service to authenticate users. The admin users are defined in an ansible playbook on deployment, effectively making the admin users hard-coded.

Is it possible to completely manage all admin and developer users using the OpenIDIdentityProvider, a lookup mapping method and adding something like extraScopes: [roles] to pull through the additional authorization roles into the authentication request? That would enable me to completely manage users and roles separately from the ansible playbook. Next level bonus points for managing permissions on the authentication provider side.

The Openshift documentation is very light on details for authentication / authorization outside of the default mappingMethod: claim.

Below is my identity provider json file for the claim-based mapping method:

{
  "items": [
    {
      "name": "auth0",
      "challenge": false,
      "login": true,
      "mappingMethod": "claim",
      "kind": "OpenIDIdentityProvider",
      "clientID": "supersecretsauce",
      "clientSecret": "extrasupersecretsauce",
      "extraScopes": ["email", "profile"],
      "claims": {
        "id": [
          "email"
        ],
        "preferredUsername": [
          "email"
        ],
        "name": [
          "name"
        ],
        "email": [
          "email"
        ]
      },
      "urls": {
        "authorize": "https://fancypants.auth0.com/authorize",
        "token": "https://fancypants.auth0.com/oauth/token",
        "userInfo": "https://fancypants.auth0.com/userinfo"
      }
    }
  ]
}

To my simple mind the below would suffice for a working lookup-based mapping method with roles returned by the authentication provider:

{
  "items": [
    {
      "name": "auth0",
      "challenge": false,
      "login": true,
      "mappingMethod": "lookup",
      "kind": "OpenIDIdentityProvider",
      "clientID": "supersecretsauce",
      "clientSecret": "extrasupersecretsauce",
      "extraScopes": ["email", "profile", "roles"],
      "claims": {
        "id": [
          "email"
        ],
        "preferredUsername": [
          "email"
        ],
        "name": [
          "name"
        ],
        "email": [
          "email"
        ],
        "role": [
          "roles"
        ]
      },
      "urls": {
        "authorize": "https://fancypants.auth0.com/authorize",
        "token": "https://fancypants.auth0.com/oauth/token",
        "userInfo": "https://fancypants.auth0.com/userinfo"
      }
    }
  ]
}

An example of a functional role value would be cluster-admin.

Upvotes: 0

Views: 721

Answers (1)

monis
monis

Reputation: 494

OpenID can only be used for authentication. You are attempting to use it for both authentication and authorization. This is not possible as roles and bindings are managed by Openshift - they cannot be delegated to an external service.

Upvotes: 1

Related Questions