Open ogibayashi opened 2 years ago
What provider does this please?
Hi. We are using PingFederate.
Do you have any docs on how their groups work please?
Sorry for my late reply. Actually, I'm just a user of the OIDC provider and not familiar with the internal.
It sets a list of user's privileges as groups
field, like "groups: ["priv1", "priv2"]
, but if the user has only one privilege, the groups
will be string value like "groups": "priv1"
. I want Argo Worflows accept this case.
Lets see how many votes this issue gets.
Is there any progress on the discussion about this issue?
Same here, provider JumpCloud.
Maintainers, please help=) you are the only hope now!
I know JumpCloud provider doing bad thing, it should always send stable array even if it has single value.
Please, can Argo Workflows add support for such bad providers?
Just for the reference, this is how error looks like in logs:
{"error":"json: cannot unmarshal string into Go struct field claimAlias.groups of type []string","level":"error","msg":"failed to get claims from the id token","time":"2023-10-19T21:40:35.919Z"}
@alexec please add some fix=) We are on 3.5.0 version
Summary
Currently Argo Workflows only accepts array of strings for
groups
field from OIDC provider. https://github.com/argoproj/argo-workflows/blob/95cd467c7e75c38548bf42a5f3c940ac61568e4b/server/auth/types/claims.go#L13So, the OIDC provider need to provide groups like this:
But I'd like Argo Workflows accept string value as well.
Use Cases
Our OIDC provider returns string value as
groups
if the user only belong to one group. As I searched I could not find any standard schema definition of claims, so stringgroups
is still possible. Also, I found similar issue in kubernetes repository which was accepted. https://github.com/kubernetes/kubernetes/pull/33332Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.