-
Hello, I'm trying to use the Pinniped upstream identity provider flow However, I'm getting Do you have any idea why the provider flow |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 6 replies
-
Here is how we configure Dex for use in our integration tests, which includes using the CLI password flow. Perhaps this will give some hints. Keep in mind that this is not a production configuration for Dex. You need to enable the resource owner password grant in Dex: pinniped/test/deploy/tools/dex.yaml Lines 22 to 23 in b0ea706 |
Beta Was this translation helpful? Give feedback.
-
I'm not expert in Dex, but I found the original PR that enabled the feature in Dex here: dexidp/dex#1621 Maybe you also need to change this setting? This is just a wild guess based on the setting being introduced in the same PR: https://github.com/dexidp/dex/blob/28aaa8f5117d30d6da3cc23b0b1e5da6d3711999/server/server.go#L93-L94 |
Beta Was this translation helpful? Give feedback.
-
@HamzaZo, I tried this and it worked for me. Are you using a recent release of Dex? Here is my Pinniped Supervisor's OIDCIdentityProvider, which is configured to point to Dex. Dex is running on the same cluster as the Pinniped Supervisor in this example. I am using a Kind cluster for this example. apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
annotations:
name: my-oidc-provider
namespace: supervisor
spec:
authorizationConfig:
additionalScopes:
- offline_access
- email
- profile
- groups
allowPasswordGrant: true
claims:
groups: groups
username: email
client:
secretName: my-oidc-provider-client-secret
issuer: https://dex.tools.svc.cluster.local/dex
tls:
certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVJxZ0F3SUJBZ0lVVlFtRTFobFh6S0ZRL1k0bms0NWFuMVN0OElnd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTBNVGt5TURBMk1EQmFGdzB5T0RBMApNVGN5TURBMk1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVJuL016eUxkblIrRlh1MlhDNjFhNkdDWTNtT1ozaDF0a2M4dmJkVkd0T2xPMmMKQWxWRVhIbmt6cVZoNGM2TnpTTGc4ajhuT0ozMDQybkxDM2hNRXVhMm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVN0Iyem5nNUtzb0dsVElqN1ZsSzI4bXhNCkd1SXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBS1pTNC9DSk5IZ3JQTmJqbVI2MjhKNjhkVFhydU9zWUIzTjQKTnN2SzVlZGRBaUVBd21EazZWU2VVNGFXcFFyMnpVclFTNkwvaFU1S2Fkd01kSkxNN2ZXUElBOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= And here is my Dex ConfigMap, which configures Dex to use my openldap server as an LDAP provider. My openldap server is running on the same cluster in this example. apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: dex
name: dex-config
namespace: tools
data:
config.yaml: |
issuer: https://dex.tools.svc.cluster.local/dex
storage:
type: sqlite3
config:
file: ':memory:'
web:
https: 0.0.0.0:8443
tlsCert: /var/certs/dex.pem
tlsKey: /var/certs/dex-key.pem
expiry:
idTokens: 20m
oauth2:
skipApprovalScreen: true
passwordConnector: ldap # This line is important! It tells Dex that password grants should use the ldap connector.
staticClients:
- id: pinniped-cli
name: Pinniped CLI
public: true
redirectURIs:
- http://127.0.0.1:48095/callback
- http://[::1]:48095/callback
- id: pinniped-supervisor
name: Pinniped Supervisor
secret: pinniped-supervisor-secret
redirectURIs:
- https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.tools.svc.cluster.local:636
insecureSkipVerify: true # please do not do this for production! I was just being lazy for this experiment!
bindDN: cn=admin,dc=pinniped,dc=dev
bindPW: password
usernamePrompt: SSO Username
userSearch:
baseDN: ou=users,dc=pinniped,dc=dev
username: uid
idAttr: uidNumber
emailAttr: mail
nameAttr: sn
groupSearch:
baseDN: ou=groups,dc=pinniped,dc=dev
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn Then I was able to log in using Pinniped's CLI flow: ❯ https_proxy="http://127.0.0.1:12346" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A
Username: pinny
Password:
Error from server (Forbidden): pods is forbidden: User "pinny.ldap@example.com" cannot list resource "pods" in API group "" at the cluster scope
❯ https_proxy="http://127.0.0.1:12346" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig
Current cluster info:
Name: kind-pinniped-pinniped
URL: https://127.0.0.1:50213
Current user info:
Username: pinny.ldap@example.com
Groups: seals, ball-game-players, system:authenticated Ignore the proxy settings in the above commands. They are only needed because of the way that I configured ingress on my Kind cluster. You can see from the above output that my identity and group memberships were taken from my openldap server. |
Beta Was this translation helpful? Give feedback.
-
By the way, for anyone else following along, @HamzaZo is only trying to use Dex here because they believe that their LDAP server is using a very old/insecure version of TLS which is incompatible with the Pinniped Supervisor. Otherwise, they could use the Pinniped Supervisor's LDAPIdentityProvider and not need to use Dex at all. See #1483 (reply in thread). |
Beta Was this translation helpful? Give feedback.
-
Also note that, as documented here, using the Dex password grant requires Dex v2.31.0 or later. |
Beta Was this translation helpful? Give feedback.
Also note that, as documented here, using the Dex password grant requires Dex v2.31.0 or later.