Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Email for SSO RBAC with Google OIDC #4612

Closed
avifried1 opened this issue Nov 29, 2020 · 6 comments · Fixed by #4644
Closed

Use Email for SSO RBAC with Google OIDC #4612

avifried1 opened this issue Nov 29, 2020 · 6 comments · Fixed by #4644
Assignees
@alexec
Labels
area/sso-rbac type/feature Feature request

Comments

@avifried1
Copy link

avifried1 commented Nov 29, 2020
edited by agilgur5
Loading

Summary

When using SSO auth mode with Google's OIDC, the issuer identifier (subject) is a unique user ID that isn't very useful and is hard to use for identifying users and managing RBAC permissions in a scalable way.

It will be more useful to use the user's email as the subject when using google as the OIDC provider.
per Google's OIDC documentation:

{
  "iss": "https://accounts.google.com",
  "azp": "1234987819200.apps.googleusercontent.com",
  "aud": "1234987819200.apps.googleusercontent.com",
  "sub": "10769150350006150715113082367",
  "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
  "hd": "example.com",
  "email": "jsmith@example.com",
  "email_verified": "true",
  "iat": 1353601026,
  "exp": 1353604926,
  "nonce": "0394852-3190485-2490358"
}

Use Cases

When google is set as the OIDC provider (issuer https://accounts.google.com). This is very useful for teams using G suite.

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
@avifried1 avifried1 added the type/feature Feature request label Nov 29, 2020
@alexec
Copy link
Contributor

alexec commented Nov 30, 2020

This should be easy for you to create a PR

type Claims struct {
	jwt.Claims
	Groups []string `json:"groups,omitempty"`
}

That needs an Email field, e.g.:

type Claims struct {
	jwt.Claims
        Email string `json:"email,omitempty"`
	Groups []string `json:"groups,omitempty"`
}

Also need to update the docs and your config to add email to sso.groups

@avifried1
Copy link
Author

avifried1 commented Dec 1, 2020
edited by agilgur5
Loading

Will also be better to use Email, if available, in the workflows.argoproj.io/creator label

@alexec alexec self-assigned this Dec 3, 2020
@alexec alexec removed the help wanted label Dec 3, 2020
alexec added a commit to alexec/argo-workflows that referenced this issue Dec 3, 2020
@alexec
feat(server): Support email is SSO. Fixes argoproj#4612
a3498c1 
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@alexec alexec mentioned this issue Dec 3, 2020
Merged
1 task
@alexec
Copy link
Contributor

alexec commented Dec 3, 2020

I've created a dev build for you to test to see that it does what you need:

docker pull argoproj/argocli:fix-4612

Please see #4644 for how to add email to your scopes, how to use it in your RBAC annotations, and how the email is re-formatted for the label.

@avifried1
Copy link
Author

Checked new tag fix-4612 on minikube v1.15.1. Looks good.

  • role annotations using email object:
email in [
      'me@mycompany.com'
      ]
  • Tested user is assigned to correct SA
  • Tested other users are assigned to default SA
  • Tested annotation is added to new workflows:
workflows.argoproj.io/creator: 100000000003345678987654
workflows.argoproj.io/creator-email: me.at.mycompany.com
  • After logging in with OIDC and redirecting back to Argo, Login page needs refresh in order to show email & email verified entries.

alexec added a commit that referenced this issue Dec 11, 2020
@alexec
feat(server): Support email for SSO+RBAC. Closes #4612 (#4644)
433dc5b 
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@simster7 simster7 mentioned this issue Dec 15, 2020
Closed
22 tasks
@simster7 simster7 mentioned this issue Jan 25, 2021
Closed
19 tasks
simster7 pushed a commit that referenced this issue Jan 25, 2021
@alexec @simster7
feat(server): Support email for SSO+RBAC. Closes #4612 (#4644)
067b603 
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@simster7
Copy link
Member

This is out on https://github.com/argoproj/argo/releases/tag/v2.12.6

@advithVashist
Copy link

Hi @simster7 @alexec!
I know this issue is closed, but my coworker made a PR referencing this issue: #10927. What is the process of getting this PR into the next release?

@agilgur5 agilgur5 changed the title Use User Email as Subject in Google OIDC Login Use Email for SSO RBAC Jun 16, 2024
@agilgur5 agilgur5 changed the title Use Email for SSO RBAC Use Email for SSO RBAC with Google OIDC Jun 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexec alexec

Labels
area/sso-rbac type/feature Feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(server): Support email for SSO+RBAC. Closes #4612 alexec/argo-workflows
5 participants
@simster7 @alexec @agilgur5 @avifried1 @advithVashist