oauth2_proxy icon indicating copy to clipboard operation
oauth2_proxy copied to clipboard
verified publisher icon bitly

OpenID + Dex + Groups restriction

Open nabadger opened this issue 8 years ago • 2 comments

Hi,

We currently run Dex backed by LDAP in our authentication pipeline.

Dex returns ID tokens with group information, which we're already using in in our auth-flow (in kubernetes).

{
  "iss": "http://127.0.0.1:5556/dex",
  "sub": "CgcyMzQyNzQ5EgZnaXRodWI",
  "aud": "example-app",
  "exp": 1492882042,
  "iat": 1492795642,
  "at_hash": "bi96gOXZShvlWYtal9Eqiw",
  "email": "[email protected]",
  "email_verified": true,
  "groups": [
    "admins",
    "developers"
  ],
  "name": "Jane Doe"
}

Does oauth2_proxy support any method to check these groups that are returned from Dex, in a similar fashion to the existing --google-group or --gitlab-team options.

I've had a look at the oidc provider but don't see anything to suggest it does.

Thanks

nabadger avatar Apr 20 '18 07:04 nabadger

@nabadger You can override the default scopes requested by the providers with the scopes config option, for example scope=openid profile email groups. That will result in group information being included in the ID token issued by dex.

luispollo avatar Jul 03 '18 16:07 luispollo

@luispollo I recall this was more about having oauth2-proxy restrict access to the client based on the groups (I do get the group information back from Dex, it's just I can't restrict by it).

nabadger avatar Jul 07 '18 11:07 nabadger