search

argoproj / argo-workflows

Workflow Engine for Kubernetes
https://argo-workflows.readthedocs.io/
Apache License 2.0
14.54k stars 3.12k forks source link

Allow string for "groups" in OIDC claims #7627

Open ogibayashi opened 2 years ago

ogibayashi commented 2 years ago

Summary

Currently Argo Workflows only accepts array of strings for groups field from OIDC provider. https://github.com/argoproj/argo-workflows/blob/95cd467c7e75c38548bf42a5f3c940ac61568e4b/server/auth/types/claims.go#L13

So, the OIDC provider need to provide groups like this:

 "groups": ["user"]

But I'd like Argo Workflows accept string value as well.

  "groups": "user"

Use Cases

Our OIDC provider returns string value as groups if the user only belong to one group. As I searched I could not find any standard schema definition of claims, so string groups is still possible. Also, I found similar issue in kubernetes repository which was accepted. https://github.com/kubernetes/kubernetes/pull/33332

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

alexec commented 2 years ago

What provider does this please?

ogibayashi commented 2 years ago

Hi. We are using PingFederate.

alexec commented 2 years ago

Do you have any docs on how their groups work please?

ogibayashi commented 2 years ago

Sorry for my late reply. Actually, I'm just a user of the OIDC provider and not familiar with the internal. It sets a list of user's privileges as groups field, like "groups: ["priv1", "priv2"] , but if the user has only one privilege, the groups will be string value like "groups": "priv1" . I want Argo Worflows accept this case.

alexec commented 2 years ago

Lets see how many votes this issue gets.

umi0410 commented 11 months ago

Is there any progress on the discussion about this issue?

Hronom commented 8 months ago

Same here, provider JumpCloud.

Maintainers, please help=) you are the only hope now!

I know JumpCloud provider doing bad thing, it should always send stable array even if it has single value.

Please, can Argo Workflows add support for such bad providers?

Just for the reference, this is how error looks like in logs:

{"error":"json: cannot unmarshal string into Go struct field claimAlias.groups of type []string","level":"error","msg":"failed to get claims from the id token","time":"2023-10-19T21:40:35.919Z"}
Hronom commented 8 months ago

@alexec please add some fix=) We are on 3.5.0 version