You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OIDC integration with Azure fails due to missing 'groups' scope
Environment
Weave-Gitops Version 0.38.0
Flux Version 2.2.3
Kubernetes versionv 1.27.10-eks-508b6b3
To Reproduce
Steps to reproduce the behavior:
Create a new App Registration in Azure Active Directory
Configure oidc in helm chart
Deploy
Attempt to login via OIDC
No data ...
Still having issue with the no data message when usinc ODCI and AzureAD
I read and apply recomendations from this thread [(https://github.com//issues/2507)]
Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token.
Found principal {"user": "***", "groups": ["***"], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message
"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\" cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}
rlaflamme
changed the title
OIDC integration with Azure fails due to missing 'groups' scope (like
OIDC integration with Azure fails NO DATA once impersonated
Apr 16, 2024
rlaflamme
changed the title
OIDC integration with Azure fails NO DATA once impersonated
OIDC integration with Azure fails "NO DATA" once impersonated
Apr 16, 2024
I finally managed it outside the app by securing the endpoint using an api
Gateway (Kong) with their oidc plugin.
I did the same with an open source solution using apisix gateway and their
oidc plugin.
*Robert Laflamme*
3926419 Canada inc.
73 rue Richard
Pointe-Aux-Trembles, QC
H1A 4C7
(514) 212-3844
Le mer. 4 sept. 2024 à 05:02, AllenYin ***@***.***> a écrit :
OIDC integration with Azure fails due to missing 'groups' scope
Environment
Weave-Gitops Version 0.38.0
Flux Version 2.2.3
Kubernetes versionv 1.27.10-eks-508b6b3
To Reproduce
Steps to reproduce the behavior:
Create a new App Registration in Azure Active Directory
Configure oidc in helm chart
Deploy
Attempt to login via OIDC
No data ...
Still having issue with the no data message when usinc ODCI and AzureAD
I read and apply recomendations from this thread [(https://github.com//issues/2507)]
Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token.
Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message
Content of oidc-auth secret:
I can see the data using the "admin" user (basic authentifcation, no OIDC)
Anyone have any ideas how to solve this issue once for all ?
Thank you !
Regards
Robert
The text was updated successfully, but these errors were encountered: