Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC integration with Azure fails "NO DATA" once impersonated #4202

Open
rlaflamme opened this issue Apr 16, 2024 · 3 comments
Open

OIDC integration with Azure fails "NO DATA" once impersonated #4202

rlaflamme opened this issue Apr 16, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@rlaflamme
Copy link

OIDC integration with Azure fails due to missing 'groups' scope

Environment

Weave-Gitops Version 0.38.0
Flux Version 2.2.3
Kubernetes versionv 1.27.10-eks-508b6b3
To Reproduce
Steps to reproduce the behavior:

Create a new App Registration in Azure Active Directory
Configure oidc in helm chart
Deploy
Attempt to login via OIDC

image

No data ...

Still having issue with the no data message when usinc ODCI and AzureAD

I read and apply recomendations from this thread [(https://github.com//issues/2507)]

Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token.

Found principal    {"user": "***", "groups": ["***"], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}

Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message

"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\"   cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}

Content of oidc-auth secret:

        Client ID:      {{ .client_id }}
        Client Secret:  {{ .client_secret }}
        Custom Scopes:  openid,profile,offline_access,email
        Issuer URL:     https://login.microsoftonline.com/bfce736f-*****/v2.0
        Redirect URL:   https://weave-gitops.sbx-00.001.wcld.************/oauth2/callback

I can see the data using the "admin" user (basic authentifcation, no OIDC)

Anyone have any ideas how to solve this issue once for all ?

Thank you !

Regards

Robert
@rlaflamme rlaflamme added the bug Something isn't working label Apr 16, 2024
@rlaflamme rlaflamme changed the title OIDC integration with Azure fails due to missing 'groups' scope (like OIDC integration with Azure fails NO DATA once impersonated Apr 16, 2024
@rlaflamme rlaflamme changed the title OIDC integration with Azure fails NO DATA once impersonated OIDC integration with Azure fails "NO DATA" once impersonated Apr 16, 2024
@olegenii
Copy link

@rlaflamme did you create corresponding ClusterRoleBinding also?

@allenyinx
Copy link

same here. Any progress from your side? @rlaflamme

@rlaflamme
Copy link
Author

rlaflamme commented Sep 4, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rlaflamme @allenyinx @olegenii