Project

General

Profile

Actions

Bug #23254

closed

User management plugin incorrectly understands OIDC roles

Added by Roni Väyrynen over 1 year ago. Updated 10 months ago.

Status:
Released
Priority:
N/A
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

I have OIDC configured (utilizing Okta) successfully and user logins are working fine, even custom groups are fetched from a specific attribute. What doesn't work is the roles override option, which should reset the users roles to whatever is provided by the OIDC that match an existing custom role. Below is an example how i have this setup:

in rudder-users.xml:

<authentication case-sensitivity="true" hash="bcrypt">
    <custom-roles>
        <role permissions="read_only" name="Team - ReadOnly"/>
        <role permissions="administrator" name="Team - Administrator"/>
    </custom-roles>
    <user name="firstname.lastname@company.tld" permissions="Team - ReadOnly,Team - Administrator"/>

Based on documentation, what i'm expecting to happen. OIDC auth method reads the groups from an attribute, matches them to existing custom roles and then either appends or overrides the configured roles in the user block. Even the log suggests that this would happen:

[2023-08-10 11:28:23+0000] DEBUG auth-backends - Identifying OIDC user info with sub: 'xxx' on rudder user base using login: 'firstname.lastname@company.tld'
[2023-08-10 11:28:23+0000] INFO  application.authorization - Principal 'firstname.lastname@company.tld' role list extended with OIDC provided roles: [Team - ReadOnly] (override: true)
[2023-08-10 11:28:23+0000] DEBUG auth-backends - Principal 'firstname.lastname@company.tld' final list of roles: [Team - ReadOnly]

Although in the UI the user still has full administrator permissions which comes from the Team - Administrator role. This can also be observed from the User Management UI section, where user has an administrator role.

At first i tested this with a custom role and one of the pre-defined default roles in the user block and thought the plugin would target only custom roles, but seems that the behaviour is same with both, roles aren't actually overwritten as they should.

I've tested this with following:

rudder-plugin-auth-backends latest release version 7.3.4-2.6 and with 7.3.5-2.6-nightly
rudder-plugin-user-management latest release version 7.3.4-2.2 and with 7.3.5-2.2-nightly


Files


Related issues 6 (3 open3 closed)

Related to Authentication backends - Bug #23306: OIDC authentication backend is not listed in user-management pluginNewFrançois ARMANDActions
Related to Rudder - Bug #23098: Plugin cannot add custom roles or it will be overwritten by boot custom roles ReleasedVincent MEMBRÉActions
Related to Rudder plugins - Bug #23348: not allowed to access errors because rudder plugins are missing AuthorizationApiMapping ReleasedVincent MEMBRÉActions
Related to Rudder - Bug #23313: Extend authentication methods to know about roles overrideNewFrançois ARMANDActions
Related to Authentication backends - Bug #23314: Update role overriding warning based on actual OIDC configurationNewFrançois ARMANDActions
Related to Rudder - Bug #24230: Authentication providers and role mapping settings should be exposedReleasedVincent MEMBRÉActions
Actions

Also available in: Atom PDF