Project

General

Profile

Actions

Bug #25668

open

OIDC users cannot use api-authorizations tokens because they have no API rights

Added by Clark ANDRIANASOLO 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
3
Assignee:
-
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I hate Rudder for that
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Small
Priority:
96
Name check:
To do
Fix check:
To do
Regression:
No

Description

When logging in as an OIDC user, with the api-authorizations plugin installed, I can create an API token for my user.
But when I attempt to use the created token, I have an authorization error message in the API, regardless of the rights of the user :

{
  "action": "nodeDetails",
  "result": "error",
  "errorDetails": "Authorization error: User 'my.user@example.io' is not allowed to access GET api/latest/nodes/{id}" 
}

That ensues from the external identity provider model : the identity and roles resolution is not declared in Rudder, but only handled at the step of login with the OAuth2/OIDC protocol.

The solutions available within the constraints of the model are quite limited, one of the solutions in Rudder would be to make use of the rights in the last user sessions, but the risk of that is not being consistent in case of changes made in the external provider. A workaround would be to manage the rights and maintain the token "by hand" by declaring a token in the API accounts page.

In the end, the fact that this is unusable is not surprising at all and it may be a feature that could be made more explicit by disallowing the API token creation for an OIDC user.

Actions

Also available in: Atom PDF