Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/configure additional OIDC scopes #4533

Merged

Conversation

tvanderwal-lmco
Copy link
Contributor

Implements the ability to request additional scopes from the OIDC provider documented in issue 4349

@CLAassistant
Copy link

CLAassistant commented Oct 31, 2022

CLA assistant check
All committers have signed the CLA.

@tvanderwal-lmco
Copy link
Contributor Author

Outside of the unit tests I did confirm functionality locally by requesting the email scope and using it as the friendly name.

---
listen_address: "0.0.0.0:8000"

database:
  type: "local"
  local:
    path: "~/lakefs/metadata"

logging:
  format: text
  level: DEBUG
  output: "-"

auth:
  encrypt:
    secret_key: "example"
  oidc:
    enabled: true
    client_id: myclient
    client_secret: clientsecret
    callback_base_url: http://localhost:8000
    url: https://oidcprovider
    default_initial_groups: ["Admins"]
    is_default_login: true
    friendly_name_claim_name: email
    additional_scope_claims: 
      - upn
      - email

blockstore:
  type: local
  local:
    path: "~/lakefs/dev/data"

gateways:
  s3:
    region: us-east-1

Screen Shot 2022-10-31 at 11 16 22 AM

@arielshaqed
Copy link
Contributor

Thanks!
Running tests and putting some labels on it.

@arielshaqed arielshaqed added new-feature Issues that introduce new feature or capability area/auth IAM, authorization, authentication, audit, AAA, and integrations with all those contributor include-changelog PR description should be included in next release changelog team/cloud-native Team cloud native labels Oct 31, 2022
@arielshaqed arielshaqed linked an issue Oct 31, 2022 that may be closed by this pull request
Copy link
Contributor

@guy-har guy-har left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Love the tests
Thank you for this contribution!!

@@ -96,10 +96,11 @@ This reference uses `.` to denote the nesting of values.
* `auth.oidc.url` `(string : )` - The base URL of your OIDC compatible identity provider.
* `auth.oidc.callback_base_url` `(string : )` - The scheme, host and port of your lakeFS installation. After authenticating, your identity provider will redirect you to a URL under this base.
* `auth.oidc.default_initial_groups` `(string[] : [])` - By default, OIDC users will be assigned to these groups
* `auth.oidc.initial_groups_claim_name` `(string[] : [])` - Use this claim from the ID token to provide the initial group for new users.
* `auth.oidc.initial_groups_claim_name` `(string[] : [])` - Use this claim from the ID token to provide the initial group for new users. This will take priority if `auth.oidc.default_initial_groups` is also set.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

@guy-har guy-har merged commit b84fbde into treeverse:master Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/auth IAM, authorization, authentication, audit, AAA, and integrations with all those contributor include-changelog PR description should be included in next release changelog new-feature Issues that introduce new feature or capability team/cloud-native Team cloud native
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enhancement Request: Ability to customize OIDC scopes
4 participants