saiharshitach
commented
2 months ago Any help on this is greatly appreciated .. We kind of are stuck when users are part of more than 200 groups since the token directly doesn't give the groups
Closed saiharshitach closed 3 weeks ago
saiharshitach
commented
2 months ago Any help on this is greatly appreciated .. We kind of are stuck when users are part of more than 200 groups since the token directly doesn't give the groups
mlbiam
commented
2 months ago Sorry for the delay. When you say more then 200 groups doesn't work, are the groups past 200 not present, or is kube-oidc-proxy ignoring them?
What's generating the token?
saiharshitach
commented
2 months ago we integrated kube oidc with azure and we use kubelogin to authenticate and genrate the jwt token..jwt token of azure has a limitation where post the user is part of 200 groups it doesnt include the groups in token but it adds into which url need to refer to get a complete list..like the claim srcs above..this is done by them to reduce the token size..but the kube oidc doesnt recognize this pattern and guves a 403
so right now if user even has acceess to cluster..if the user is part of more than 200 groups the validation isnt done and cannot login to cluster
mlbiam
commented
2 months ago azure has a limitation where post the user is part of 200 groups
Yes. kube-oidc-proxy wouldn't be the correct place to implement this logic. You can either ask kubelogin to implement this functionality or look at OpenUnison, which does this for you - https://openunison.github.io/identity%20providers/azuread/ you'll want to use the latest beta image for 1.0.41 where we implemented the plus 200 groups functionality (https://github.com/TremoloSecurity/OpenUnison/issues/890#issuecomment-2153343836). it will automatically integrate kube-oidc-proxy for you, so you don't need a seperate deployment of it.
saiharshitach
commented
2 months ago Looks like kubelogin cannot modify the JWT and changing it will break the checksum and the validation. Is there any way where we can put this fix in oidc ?
mlbiam
commented
2 months ago Looks like kubelogin cannot modify the JWT and changing it will break the checksum and the validation. Is there any way where we can put this fix in oidc ?
this isn't the right way to handle it. You need to either use an idp proxy, like openunison, to lookup the groups. kube-oidc-proxy isn't designed to to do this type of lookup.
We are on latest version in EKS 1.29
Error: Authenticated request failed: oidc: could not expand distributed claims: while getting distributed claim "groups": error while getting distributed claim JWT: 401 Unauthorized
JWT decoded token
"_claim_names": { "groups": "src1" }, "_claim_sources": { "src1": { "endpoint": "https://azure endpoint/getMemberObjects" } },