Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

returning claims from user_info as X-Vouch-IdP-Claims-* headers #221

Closed
rogerscuall opened this issue Mar 8, 2020 · 12 comments
Closed

returning claims from user_info as X-Vouch-IdP-Claims-* headers #221

rogerscuall opened this issue Mar 8, 2020 · 12 comments
Labels
bug duplicate

Comments

@rogerscuall
Copy link

Describe the problem
After the user was authenticated and can go to the protected service, the only information we have about the user is the header x-vouch-user. Can we get any other information assuming the external provider is sending that information?

Expected behavior
In this specific case, other information is requested, for scope is: OpenID, email, profile.
The auth response header is just x-vouch-user per the example in the main page:
nginx.ingress.kubernetes.io/auth-response-headers: x-vouch-user
But I'm looking for any other information that we can pass to the protected service, for example, the email or the profile.

Additional context
For testing purposes right now the protected service is httpbin and I'm getting the following headers:
https://hastebin.com/eyiroviyax.bash
@bnfinet
Copy link
Member

bnfinet commented Mar 8, 2020 via email

@rogerscuall
Copy link
Author

Hi @bnfinet , thanks for your help.
I followed your link, now the vouch config looks like this:
https://gist.github.com/rogerscuall/bc1c44e5ff3033399d1af7eeed70e630
The ingress looks like this:
https://gist.github.com/rogerscuall/2945c48fc2190638b3544083f29c9995
The logs in vouch look like this:

2020-03-09T14:52:38.817Z	INFO	OpenID userinfo body: {"sub":"7a3071e7-59ed-4032-b345-e32adfbf859f","email_verified":"true","phone_number_verified":"true","phone_number":"+01813XXXXXXX","email":"[email protected]","username":"devtestqa1"}

But still not getting the header with the groups.
https://gist.github.com/rogerscuall/ddc1909993f7284629143f8db8547722
In this case the provider is AWS Cognito.
When I use the Cognito SDK after decrypting the JWT I get a field like this one: cognito:groups with the groups of the user.

@bnfinet
Copy link
Member

bnfinet commented Mar 11, 2020

please post your logs with loglevel: debug and testing: true

@rogerscuall
Copy link
Author

One more time thanks.
This is the log:
https://hastebin.com/meyicuside.rb
On line 59 there is a JWT token decoding that will return something like this:

{
  "sub": "7a3071e7-59ed-4032-b345-e32adfbf859f",
  "cognito:groups": [
    "grouping"
  ],
...

@bnfinet
Copy link
Member

bnfinet commented Mar 11, 2020
edited
Loading

If properly configured the CustomClaims:map[] should be getting populated (lines 153 and 121)

In the config headers should be a sub element of vouch. You have it on the same level as vouch and oauth

and I believe it will need to be

vouch:
  headers:
    claims:
    - cognito:groups

@bnfinet bnfinet changed the title What other information can we get about the user returning claims from user_info as X-Vouch-IdP-Claims-* headers Mar 11, 2020
@rogerscuall
Copy link
Author

rogerscuall commented Mar 12, 2020
edited
Loading

You are completely right, my mistake. I can see now that in the vouch logs this line at the very beginning:
2020-03-12T02:33:36.485Z DEBUG viper settings map[vouch:map[testing:true headers:map[claims:[cognito:groups]]
I have applied the changes you requested but still the same issue, config looks like this:
https://hastebin.com/ihinedijus.m
Logs look like this:
https://hastebin.com/nesixuleto.pl
Reading again the documentation the header will take the name of X-Vouch-IdP-Claims-ClaimKey, if the claim key is cognito:groups what would be the name. I tried with groups, instead of cognito:groups with similar results, the field is still not present and the CustomClaims:map[] is still present in the logs.

@bnfinet bnfinet mentioned this issue Mar 20, 2020
Closed
@bnfinet
Copy link
Member

bnfinet commented Mar 24, 2020

Until #183 and #184 are resolved cognito:groups will not work. The : in the string screws up the header.

However I'm not sure that's what you're seeing here. It feels like we should be able to see the groups coming out of the JWT.

@rogerscuall
Copy link
Author

Nope, I still get the CustomClaims:map[] empty. If I decrypt the JWT I can see:

{
  "sub": "7a3071e7-59ed-4032-b345-e32adfbf859f",
  "cognito:groups": [
    "grouping"
  ],
...

But the field with the group that is sent back to the protected service is missing.

@bnfinet bnfinet mentioned this issue Apr 22, 2020
Closed
@bnfinet
Copy link
Member

bnfinet commented Apr 22, 2020

hope this is fixed by #183 v0.10.0
@rogerscuall could you please test

@rogerscuall
Copy link
Author

Thanks, I have tried it but I still get the CustomClaims:map[] empty on the logs and only the headers for X-Forwarded-Host, X-Vouch-User, and Cookie related to Vouch. I still don't see the additional header even though the logs have vouch:map[allowallusers:true domains:[dev.myexample.com] headers:map[claims:[cognito:groups]]

@bnfinet
Copy link
Member

bnfinet commented Apr 22, 2020 via email

@bnfinet
Copy link
Member

bnfinet commented May 14, 2020

@rogerscuall any progress on this one? If you are no longer working this issue could you please close it.

@bonnydeal bonnydeal mentioned this issue Mar 30, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnfinet @rogerscuall