Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't use group members with OIDC Google #20719

Open
fatsolko opened this issue Jul 9, 2024 · 3 comments
Open

can't use group members with OIDC Google #20719

fatsolko opened this issue Jul 9, 2024 · 3 comments
Assignees
@reasonerjt
Labels
area/oidc

Comments

@fatsolko
Copy link

fatsolko commented Jul 9, 2024
edited
Loading

I create OIDC authentication with Google and add user in Google to group devops
image
After adding group member to project I expected user to have access to project docker.
image
image
but it doesn't work, I only see the public project
image
UPD:
log when I set Group Claim Name groups
2024-07-10T07:10:23Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[email:some@py.com email_verified:true family_name:some given_name:some hd:py.com name:some picture:https://lh3.googleusercontent.com/a/ACg8ocKi_Ub65nJIOAbVEu3AUSNWpEC7pHeI=s96-c sub:11286363274952], groups claims key: groups

What am I doing wrong?
@fatsolko
Copy link
Author

fatsolko commented Jul 10, 2024
edited
Loading

I think the main problem is not being able to get groups from Google account.
I don't know which scope should work and how to add that scope to the Harbor.
@stonezdj
Copy link
Contributor

You should set the Group Claim Name

Group Claim Name: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor.

see: https://goharbor.io/docs/edge/administration/configure-authentication/oidc-auth/#configure-an-oidc-provider-in-harbor
@fatsolko
Copy link
Author

fatsolko commented Jul 11, 2024
edited
Loading

You should set the Group Claim Name

Group Claim Name: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor.

see: https://goharbor.io/docs/edge/administration/configure-authentication/oidc-auth/#configure-an-oidc-provider-in-harbor

yes, but google does not provide group scope info
for example: there is log when I set Group Claim Name groups
2024-07-10T07:10:23Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[email:some@py.com email_verified:true family_name:some given_name:some hd:py.com name:some picture:https://lh3.googleusercontent.com/a/ACg8ocKi_Ub65nJIOAbVEu3AUSNWpEC7pHeI=s96-c sub:11286363274952], groups claims key: groups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc
4 participants
@reasonerjt @stonezdj @wy65701436 @fatsolko