Bug #25668
open
OIDC users cannot use api-authorizations tokens because they have no API rights
Description
When logging in as an OIDC user, with the api-authorizations plugin installed, I can create an API token for my user.
But when I attempt to use the created token, I have an authorization error message in the API, regardless of the rights of the user :
{
"action": "nodeDetails",
"result": "error",
"errorDetails": "Authorization error: User 'my.user@example.io' is not allowed to access GET api/latest/nodes/{id}"
}
That ensues from the external identity provider model : the identity and roles resolution is not declared in Rudder, but only handled at the step of login with the OAuth2/OIDC protocol.
The solutions available within the constraints of the model are quite limited, one of the solutions in Rudder would be to make use of the rights in the last user sessions, but the risk of that is not being consistent in case of changes made in the external provider. A workaround would be to manage the rights and maintain the token "by hand" by declaring a token in the API accounts page.
In the end, the fact that this is unusable is not surprising at all and it may be a feature that could be made more explicit by disallowing the API token creation for an OIDC user.
Updated by 
Updated by