[Question] How to use plain Usernames for authorization instead of "issuer"#"username"

[fbuchmeier-abi]

Dear community,

Setting the stage:

I am currently trying to integrate Amazon EKS with two different OIDC providers (Keycloak & Auth0). In my environment, we have multiple clusters and multiple users that want to access those clusters. At the moment we have EKS integrated directly with both providers (on different clusters) and are using Heptio Gangway to generate the kubectl configuration for us.

I have successfully set up OpenUnison (operator + orchestra + login portal) and authentication in the WebApp as well as via kubectl is working.

However, I know want to grant permissions to specific users as I did before using the direct connection (to Keycloak/Auth0).

When running kubectl whoami --all (from a krew plugin) I can see that the user I am authenticated with has changed from:

User:   fbuchmeier@example.com
Groups:
        some_administrators
        system:authenticated

to:

User:   https://ou.some.cluster/auth/idp/k8sIdp#fbuchmeier@example.com
Groups:
        some_administrators
        system:authenticated

Since I already have my RBAC in place, managed by the rbac-manager and I have multiple differernt clusters (e.g. ou.some.other.cluster) I want to keep my current setup and authorize based on the actual username (here: fbuchmeier@example.com) instead of the composite of issuer (here: https://ou.some.cluster/auth/idp/k8sIdp) and the user.

I already looked at the documentation at OpenUnison - Deploy Auth as well as the default values but did not find an option to configure this.

Do you know if this is currently possible and if not, which component in OpenUnison is responsible for generating this complex username, so that I could add the configuration and create a corresponding PullRequest?

Thank you in advance, Florian.

[fbuchmeier-abi]

Short update: I think I found the answer to me question after writing it down, classical rubber :duck: ing. EKS automatically uses this usernamePrefix when the username differs from the email address, see the AWS API docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_OidcIdentityProviderConfigRequest.html

usernamePrefix The prefix that is prepended to username claims to prevent clashes with existing names. If you do not provide this field, and username is a value other than email, the prefix defaults to issuerurl#. You can use the value - to disable all prefixing.

[fbuchmeier-abi]

I've disabled the usernamePrefix by setting it to - and the result is as expected. The configuration now looks like this for EKS:

    ClientID: kubernetes
    GroupsClaim: groups
    GroupsPrefix: null
    IssuerURL: https://ou.some.cluster/auth/idp/k8sIdp
    Name: openunison
    RequiredClaims: null
    Status: ACTIVE
    Tags: {}
    Type: oidc
    UsernameClaim: sub
    UsernamePrefix: -

with enable_impersonation: false set in the Helm Release.

[mlbiam]

EKS automatically uses this usernamePrefix when the username differs from the email address, see the AWS API docs:

This is how Kubernetes works generally, not just EKS. When OIDC was first built into Kubernetes it was assumed that your API server would support multiple identity providers so they wanted a way to differentiate identity sources. The developers assumed an email address would do that via the domain.