Skip to content

CODER_OIDC_GROUP sync working, but CODER_OIDC_ROLE is not #13110

New issue
New issue
Open
Bug
Open
CODER_OIDC_GROUP sync working, but CODER_OIDC_ROLE is not#13110
Bug
Labels
securityArea: securitywaiting-for-infoThe issue creator is asked to provide more information.
@hh

Description

@hh
hh
opened on Apr 30, 2024

When using Authentik as an SSO source, group mapping is working, but role mapping is not.

The "CoderAdmins" group get's created, and "authentik Admins" are added to that group.

However the same users are not set with the "owner" role in Coder.

Here is the mapping configuration for both:

kubectl -n coder get configmap coder-config -o yaml | yq .data | grep -A1 GROUP\\\|ROLE
CODER_OIDC_GROUP_AUTO_CREATE: "true"
CODER_OIDC_GROUP_FIELD: groups
CODER_OIDC_GROUP_MAPPING: |
  {"authentik Admins": "CoderAdmins"}
CODER_OIDC_GROUP_REGEX_FILTER: ^Coder.*$
--
CODER_OIDC_ROLE_FIELD: groups
CODER_OIDC_SCOPES: openid,profile,email,groups
--
CODER_OIDC_USER_ROLE_MAPPING: |
  {"authentik Admins": ["owner"]}```

I started debugging according to the docs:

https://coder.com/docs/v2/latest/admin/auth#troubleshooting-grouprole-sync

Trying to visit the debug link (https://coder.sharing.io/api/v2/debug/hh/debug-link) after logging in gets me the following. It's possibly that I'm misunderstanding the url I should visit, or that it should be hit via a curl command with authentication included.

{"message":"Resource not found or you do not have access to this resource"}

Here are the logs:

2024-04-30 12:25:14.258 [warn]
coderd: requester is not authorized to access the object  
internal_error=<nil>  
request_id=d7435087-fa35-463f-901c-9468daeb3a63  
roles="[member organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4]"  
actor_id=050793c9-6f0b-46cd-94be-6651ca4f3e78  
actor_name={
"FriendlyName":"hh",
"ID":"050793c9-6f0b-46cd-94be-6651ca4f3e78",
"Roles":["member","organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4"],
"Groups":["c97cef0b-4c84-4202-91f1-f17ebd5ab9d1"],
"Scope":"all"}  
scope=all  
route=/api/v2/deployment/stats  
action=read  
object={
"id":"",
"owner":"",
"org_owner":"",
"type":"deployment_stats",
"acl_user_list":null,
"acl_group_list":null}

2024-04-30 12:27:40.884 [debu]  
coderd.userauth: got oidc claims  
request_id=701a1e95-13b5-454a-b81c-233c1310296d  
source=id_token  
claim_fields="[
acr aud auth_time email email_verified exp given_name groups
 iat iss name nickname preferred_username sub
 ]"  
blank=[]

2024-04-30 12:27:41.000 [debu]
coderd.userauth: got oidc claims  
request_id=701a1e95-13b5-454a-b81c-233c1310296d  
source=userinfo  
claim_fields="[
email 
email_verified 
given_name 
groups 
name 
nickname 
preferred_username 
sub]"  
blank=[]

2024-04-30 12:27:41.000 [debu]  
coderd.userauth: got oidc claims  
request_id=701a1e95-13b5-454a-b81c-233c1310296d  
source=merged  
claim_fields="[
acr aud auth_time email email_verified exp given_name 
groups iat iss name nickname preferred_username sub
]"  
blank=[]

2024-04-30 12:27:41.000 [debu]  
coderd: groups returned in oidc claims  
request_id=701a1e95-13b5-454a-b81c-233c1310296d  
email=hh@ii.coop  
username=hh  
len=1  
groups="[authentik Admins]"

2024-04-30 12:27:41.033 [info]  
coderd: audit_log  
ID=8be576c2-12b3-49d8-b2df-ade7604bc2fc  
Time="2024-04-30T12:27:41.030819Z"  
UserID=050793c9-6f0b-46cd-94be-6651ca4f3e78  
OrganizationID=00000000-0000-0000-0000-000000000000  
Ip=10.244.0.9  
UserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"  
ResourceType=api_key  
ResourceID=050793c9-6f0b-46cd-94be-6651ca4f3e78  
ResourceTarget=""  
Action=login  Diff="{}"  
StatusCode=307  
AdditionalFields="{}"  
RequestID=701a1e95-13b5-454a-b81c-233c1310296d  
ResourceIcon=""  
actor="&{ID:050793c9-6f0b-46cd-94be-6651ca4f3e78 Email:hh@ii.coop Username:hh}"

I suspect this may be why we are having an error, but I'm not sure what api coder is having trouble accessing here... authentik?

2024-04-30 12:27:41.930 [warn]  
coderd: requester is not authorized to access the object  
internal_error=<nil>  
request_id=23e6af63-24bc-4e07-afd9-2dc4d9858a60  
roles="[member organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4]"  
actor_id=050793c9-6f0b-46cd-94be-6651ca4f3e78  
actor_name={
"FriendlyName":"hh",
"ID":"050793c9-6f0b-46cd-94be-6651ca4f3e78",
"Roles":["member","organization-member:e3a7af6a-8a6a-4190-9506-be8792cd52d4"],
"Groups":["c97cef0b-4c84-4202-91f1-f17ebd5ab9d1"],
"Scope":"all"} 
scope=all  
route=/api/v2/deployment/stats  
action=read  
object={"id":"","owner":"","org_owner":"","type":"deployment_stats","acl_user_list":null,"acl_group_list":null}

Metadata

Metadata

Assignees

No one assigned

    Labels

    securityArea: securitywaiting-for-infoThe issue creator is asked to provide more information.

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions