Closed veselov closed 2 weeks ago
I believe if you set the log level to DEBUG, you'll see more info about how DT is reconciling the OIDC tokens, groups, etc.
Manually adding the a group (that a GitLab user is a member of) to "OIDC connected group", mapping it to a team, and assigning permissions work.
I was under the impression that at least the "OIDC Connected Group" table should be populated automatically...
I believe if you set the log level to DEBUG, you'll see more info about how DT is reconciling the OIDC tokens, groups, etc.
Yeah, that does print out a bunch of Unknown OpenID Connect group XXX
messages for all groups that are not manually added to that list.
Might be a good thing if you have 10k+ AD groups like I do 🤓
It's indeed intentional that admins should make a conscious decision as to what groups they want to accept into DT.
Am I following this thread correctly in that the issue has been resolved?
Yes, it's totally my fault, as I failed to read this specific part: https://docs.dependencytrack.org/getting-started/openidconnect-configuration/#how-openid-connect-claims-are-mapped.
Also, I didn't need to use groups_direct
claim. It's true that the claim doesn't show up in the "ID token", but DT apparently makes a userinfo
request to OIDC, and gets the groups from the response (https://docs.gitlab.com/ee/integration/openid_connect_provider.html).
Thank you, everybody, and apologies for unnecessary commotion.
No worries, it could just as well have been a bug. Please let us know when you run into other issues!
Current Behavior
Backend shows just this:
I'm not sure whether I'm missing something (and it does honestly feel like I am), but at this point I've exhausted my search capacity to find what that might be.
Steps to Reproduce
So far, reading docs available at https://docs.dependencytrack.org/getting-started/openidconnect-configuration/#gitlab-gitlabcom, I've set up:
GitLab application configuration has:
The JWx that DT sends to GitLab for logging in:
I didn't see a
groups
claim here, so I setALPINE_OIDC_TEAMS_CLAIM
togroups_direct
. The login response from GitLab:And config.json (as seen by the browser):
Expected Behavior
After attempted GitLab login, even though there are no available permissions, the groups from GitLab are synchronized with DT teams. If not, then at least if there is a matching group, access should be granted.
Dependency-Track Version
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist