Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

CODER_OIDC_GROUP sync working, but CODER_OIDC_ROLE is not #13110

Open
Labels
securityArea: securitywaiting-for-infoThe issue creator is asked to provide more information.
@hh

Description

@hh

When using Authentik as an SSO source, group mapping is working, but role mapping is not.

The "CoderAdmins" group get's created, and "authentik Admins" are added to that group.

However the same users are not set with the "owner" role in Coder.

Here is the mapping configuration for both:

kubectl -n coder get configmap coder-config -o yaml | yq .data | grep -A1 GROUP\\\|ROLECODER_OIDC_GROUP_AUTO_CREATE: "true"CODER_OIDC_GROUP_FIELD: groupsCODER_OIDC_GROUP_MAPPING: |  {"authentik Admins": "CoderAdmins"}CODER_OIDC_GROUP_REGEX_FILTER: ^Coder.*$--CODER_OIDC_ROLE_FIELD: groupsCODER_OIDC_SCOPES: openid,profile,email,groups--CODER_OIDC_USER_ROLE_MAPPING: |  {"authentik Admins": ["owner"]}```

I started debugging according to the docs:

https://coder.com/docs/v2/latest/admin/auth#troubleshooting-grouprole-sync

Trying to visit the debug link (https://coder.sharing.io/api/v2/debug/hh/debug-link) after logging in gets me the following. It's possibly that I'm misunderstanding the url I should visit, or that it should be hit via a curl command with authentication included.

{"message":"Resource not found or you do not have access to this resource"}

Here are the logs:

2024-04-30 12:25:14.258 [warn]coderd: requester is not authorized to access the object  internal_error=<nil>  request_id=d7435087-fa35-463f-901c-9468daeb3a63  roles="[member organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4]"  actor_id=050793c9-6f0b-46cd-94be-6651ca4f3e78  actor_name={"FriendlyName":"hh","ID":"050793c9-6f0b-46cd-94be-6651ca4f3e78","Roles":["member","organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4"],"Groups":["c97cef0b-4c84-4202-91f1-f17ebd5ab9d1"],"Scope":"all"}  scope=all  route=/api/v2/deployment/stats  action=read  object={"id":"","owner":"","org_owner":"","type":"deployment_stats","acl_user_list":null,"acl_group_list":null}
2024-04-30 12:27:40.884 [debu]  coderd.userauth: got oidc claims  request_id=701a1e95-13b5-454a-b81c-233c1310296d  source=id_token  claim_fields="[acr aud auth_time email email_verified exp given_name groups iat iss name nickname preferred_username sub ]"  blank=[]
2024-04-30 12:27:41.000 [debu]coderd.userauth: got oidc claims  request_id=701a1e95-13b5-454a-b81c-233c1310296d  source=userinfo  claim_fields="[email email_verified given_name groups name nickname preferred_username sub]"  blank=[]
2024-04-30 12:27:41.000 [debu]  coderd.userauth: got oidc claims  request_id=701a1e95-13b5-454a-b81c-233c1310296d  source=merged  claim_fields="[acr aud auth_time email email_verified exp given_name groups iat iss name nickname preferred_username sub]"  blank=[]
2024-04-30 12:27:41.000 [debu]  coderd: groups returned in oidc claims  request_id=701a1e95-13b5-454a-b81c-233c1310296d  email=hh@ii.coop  username=hh  len=1  groups="[authentik Admins]"
2024-04-30 12:27:41.033 [info]  coderd: audit_log  ID=8be576c2-12b3-49d8-b2df-ade7604bc2fc  Time="2024-04-30T12:27:41.030819Z"  UserID=050793c9-6f0b-46cd-94be-6651ca4f3e78  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=10.244.0.9  UserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"  ResourceType=api_key  ResourceID=050793c9-6f0b-46cd-94be-6651ca4f3e78  ResourceTarget=""  Action=login  Diff="{}"  StatusCode=307  AdditionalFields="{}"  RequestID=701a1e95-13b5-454a-b81c-233c1310296d  ResourceIcon=""  actor="&{ID:050793c9-6f0b-46cd-94be-6651ca4f3e78 Email:hh@ii.coop Username:hh}"

I suspect this may be why we are having an error, but I'm not sure what api coder is having trouble accessing here... authentik?

2024-04-30 12:27:41.930 [warn]  coderd: requester is not authorized to access the object  internal_error=<nil>  request_id=23e6af63-24bc-4e07-afd9-2dc4d9858a60  roles="[member organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4]"  actor_id=050793c9-6f0b-46cd-94be-6651ca4f3e78  actor_name={"FriendlyName":"hh","ID":"050793c9-6f0b-46cd-94be-6651ca4f3e78","Roles":["member","organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4"],"Groups":["c97cef0b-4c84-4202-91f1-f17ebd5ab9d1"],"Scope":"all"} scope=all  route=/api/v2/deployment/stats  action=read  object={"id":"","owner":"","org_owner":"","type":"deployment_stats","acl_user_list":null,"acl_group_list":null}

Metadata

Metadata

Assignees

No one assigned

    Labels

    securityArea: securitywaiting-for-infoThe issue creator is asked to provide more information.

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp