Skip to content

chore: add claims to oauth link in db for debug #10827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 27, 2023
Merged

chore: add claims to oauth link in db for debug #10827

merged 8 commits into from
Nov 27, 2023

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Nov 21, 2023
edited
Loading

What this does

Only usable by owners, allows seeing oidc claims for any given oidc authenticated user. No signatures are attached so the token is not usable back to OIDC.

Route: http://localhost:3000/api/v2/debug/{username}/debug-link

Output

{
   "id_token_claims":{
      "amr":[
         "pwd"
      ],
      "aud":"...",
      "exp":1700606769,
      "iat":1700603169,
      "idp":"...",
      "iss":"https://dev.okta.com",
      "jti":"...",
      "sub":"00u5ttx5mxCEiIfWy5d7",
      "ver":1,
      "name":"Steven Masley",
      "email":"...@gmail.com",
      "at_hash":"...",
      "auth_time":1700603154,
      "preferred_username":"Emyrk@github.oktaidp"
   },
   "user_info_claims":{
      "sub":"...",
      "name":"Steven Masley",
      "email":"...@gmail.com",
      "locale":"en_US",
      "approles":[
         "okta-template-admin",
         "okta-user-admin"
      ],
      "zoneinfo":"America/Los_Angeles",
      "given_name":"Steven",
      "family_name":"Masley",
      "email_verified":true,
      "preferred_username":"Emyrk@github.oktaidp"
   }
}

Affects #10819

@Emyrk
Copy link
Member Author

Emyrk commented Nov 21, 2023

@coadler what do you think about this? Feels a bit half baked, but should give a route to provide more context on the claims for any given user. We have had a lot of group/role sync debug sessions that were difficult.

@bpmct
Copy link
Member

bpmct commented Nov 21, 2023

From my perspective, this is great for debugging group sync. I know within a workspace you can sometimes debug the token but I found, even with OIDC, sometimes its not a JWT and you can't hit the userinfo endpoint post-login. Idk if this is because some providers have a weird exchange going on but this is a reliable and quick solution to understand what is being passed from the provider

@Emyrk
Copy link
Member Author

Emyrk commented Nov 21, 2023

From my perspective, this is great for debugging group sync. I know within a workspace you can sometimes debug the token but I found, even with OIDC, sometimes its not a JWT and you can't hit the userinfo endpoint post-login. Idk if this is because some providers have a weird exchange going on but this is a reliable and quick solution to understand what is being passed from the provider

Currently only owners can hit this, it only works if the user does authenticate. I am storing the original claims used for the group/user sync.

@coadler
Copy link
Contributor

coadler commented Nov 21, 2023

Is there anything this stores that we don't output in the logs? Or does it just make the claims easier to access

@Emyrk
Copy link
Member Author

Emyrk commented Nov 21, 2023

Is there anything this stores that we don't output in the logs? Or does it just make the claims easier to access

Yes we only log the claim fields. This outputs the claim values.

I assumed we only logged the claim fieldnames and not the values for some secret reasons or something?

@bpmct
Copy link
Member

bpmct commented Nov 21, 2023
edited
Loading

Is there anything this stores that we don't output in the logs? Or does it just make the claims easier to access

We don't output the claim values through the logs, just the names. We output the specific values for the OIDCS_GROUPS_FIELD if it is an array, but not if it is a string. We found some providers will send the value as a string if there is 1 value but then an array if it is several. Or some provider send a comma-seperated string. Since our product doesn't support all these formats, it's a bit of a chicken-and-egg problem: what is the format then if/how do we support it or can it be mapped on the IDP side or the Coder side.

This is the current issue we're running into

@coadler
Copy link
Contributor

coadler commented Nov 21, 2023

I assumed we only logged the claim fieldnames and not the values for some secret reasons or something?

I originally had it log fields but I think it was removed later on https://github.com/coder/coder/pull/6922/files#diff-0bdad5dd6f860b794a5f97ea3f7be5a74a7ad2a5aadcfcf02e67a63efd4222fdL591

If we're going to make this info exposed to owners either way I think it would be easiest if we just logged them since the security implications seem similar, unless accessing them this way unblocks any customers.

@Emyrk
Copy link
Member Author

Emyrk commented Nov 21, 2023

NOTE: we were previously logging all of the userinfo claims here; this could contain sensitive user information. I modified this to instead log the claim fields, and which of these claim fields are an empty string.

This was the note. Logs are more easily "dumped" somewhere imo. I figured a route that requires a human to hit won't accidentally be dumped anywhere.

@Emyrk Emyrk merged commit abb2c76 into main Nov 27, 2023
@Emyrk Emyrk deleted the stevenmasley/oidc_claim_debugging branch November 27, 2023 16:47
@github-actions github-actions bot locked and limited conversation to collaborators Nov 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@coadler coadler coadler approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Emyrk @bpmct @coadler