OpenID + Dex + Groups restriction

[nabadger]

Hi,

We currently run Dex backed by LDAP in our authentication pipeline.

Dex returns ID tokens with group information, which we're already using in in our auth-flow (in kubernetes).

{
  "iss": "http://127.0.0.1:5556/dex",
  "sub": "CgcyMzQyNzQ5EgZnaXRodWI",
  "aud": "example-app",
  "exp": 1492882042,
  "iat": 1492795642,
  "at_hash": "bi96gOXZShvlWYtal9Eqiw",
  "email": "jane.doe@coreos.com",
  "email_verified": true,
  "groups": [
    "admins",
    "developers"
  ],
  "name": "Jane Doe"
}

Does oauth2_proxy support any method to check these groups that are returned from Dex, in a similar fashion to the existing --google-group or --gitlab-team options.

I've had a look at the oidc provider but don't see anything to suggest it does.

Thanks

[luispollo]

@nabadger You can override the default scopes requested by the providers with the scopes config option, for example scope=openid profile email groups. That will result in group information being included in the ID token issued by dex.

[nabadger]

@luispollo I recall this was more about having oauth2-proxy restrict access to the client based on the groups (I do get the group information back from Dex, it's just I can't restrict by it).