OIDC role mapping - Githubissues

tomjones1977 commented 3 weeks ago

Is your feature request related to a problem? Please describe. Currently when configuring OIDC sign in with userAutoCreateTmpl= the account is created with standard roles regardless of the user.

Describe the solution you'd like When signing in via OIDC, mapping roles to Arkime roles happens within the user template.

For example an OIDC role arkime-admins maps to superAdmin, analyst maps to arkimeUser etc.

Describe alternatives you've considered While the mapping could be done manually this removes the SSO advantage of having roles mapped in a single location (the IdP).

Additional context N/A

awick commented 3 weeks ago

So you could do it in the userAutoCreateTmpl at create time, but I think you are asking for it to update on every signon incase the role changes? is that right?

could you provide a sample of what your oidc object looks like? Would the role field name need to be changable, or is it the same for all oidc implementations?

tomjones1977 commented 3 weeks ago

Below is a redacted example token that is returned from the IdP. The roles are presented under realm_access.roles as a list.

Ideally this list would be checked to map the roles for the user on login. This would mean that the IdP could have a central set of roles/groups that enable RBAC, and the roles are enforced on login through the token contents.

{
  "exp": 1724062294,
  "iat": 1724061994,
  "jti": "b9546ee6-416e-4226-ba09-06a9ceea8171",
  "iss": "https://keycloak.example.private/realms/example.private",
  "sub": "5277c950-47d9-46e5-930e-b1c935e2fe51",
  "typ": "Bearer",
  "azp": "viewer",
  "sid": "2ce5a0b4-ff79-44f6-919a-dea23493db45",
  "acr": "1",
  "allowed-origins": [
    "https://viewer.example.private"
  ],
  "realm_access": {
    "roles": [
      "zabbix-admin",
      "gitlab-admin",
      "admin",
      "arkime-admin",
      "ipausers"
    ]
  },
  "scope": "openid email profile",
  "email_verified": true,
  "name": "SSO Admin Admin",
  "preferred_username": "sso-admin",
  "given_name": "SSO Admin",
  "family_name": "Admin",
  "email": "sso-admin@example.private"
}

awick commented 3 weeks ago

ok, update at login seems ok, however periodic queries/hunts would potentially use whatever the last value was since those happen when the user isn't logged in. ex:

user has admin role and logs in
user creates periodic query that does something that role X can't do
user in oidc is switched to role X, but doesn't use arkime
periodic query runs as admin, since the user hasn't logged in again.

tomjones1977 commented 3 weeks ago

How would that scenario play out in a manual role edit of a user, i.e. the way it's currently managed?

awick commented 3 weeks ago

since Arkime would be the authoritative source it would work as expected.

user has admin role and logs in
user creates periodic query that does something that role X can't do
user in arkime is switched to role X
periodic query runs as role X, and part that role X can't do will fail

tomjones1977 commented 2 weeks ago

Could the query role update and fail when the user next logs in?

awick commented 2 weeks ago

I don't think there is any standard way. Basically if you want to demote a user you'll need to still use the arkime users page if they don't log in often.

arkime / arkime

OIDC role mapping #2915