search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 66 forks source link

Reject user as 403 if not part of a oidc connector group #29

Closed rvirdiz closed 4 years ago

rvirdiz commented 4 years ago

Hi @yanniszark

I am using this service for multi-tenancy feature in Kubeflow. As, oidc-authservice is used for authentication in Kubeflow dex+istio deployment. I recently came up with one issue or bug, when using dex with ldap as an oidc connector.

Following are my dex logs, when user enters authentication info using oidc-authservice login page, which is configured using following example: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md#example-searching-a-active-directory-server-with-groups

time="2020-06-15T19:40:55Z" level=info msg="performing ldap search ou=users,dc=example,dc=com sub (&(objectClass=posixAccount)(uid=myldapuser))"
time="2020-06-15T19:40:55Z" level=info msg="username \"myldapuser\" mapped to entry uid=myldapuser,ou=users,dc=example,dc=com"
time="2020-06-15T19:40:55Z" level=info msg="performing ldap search 
cn=kubeflow,ou=groups,dc=example,dc=com sub (&(objectClass=posixGroup)(memberUid=myldapuser))"
time="2020-06-15T19:40:55Z" level=info msg="login successful: connector \"ldap\", username=\"LDAP_user\", preferred_username=\"\", email=\"myldapuser@example.com\", groups=[\"kubeflow\"]"

Here, the dex performs an user search in groupsearch filter, which allows user "myldapuser" to login if part of a ldap group "kubeflow" here. But, even if user is not part of any group in ldapsearch filter like groups=[], it still allows user to login. Ideally, which should not happen, if user is not part of a group. Is there any way in oidc-authservice, where we can whitelist user groups, or reject the access request. as per the blog you posted. https://journal.arrikto.com/kubeflow-authentication-with-istio-dex-5eafdfac4782

Will be looking forward to your reply. Thanks.

yanniszark commented 4 years ago

Hi @rvirdiz thanks for your interest! The AuthService is about authentication, i.e. getting a user's identity (uid, groups, etc.). Allowing/denying access based on this identity (e.g., if the user is member of a group) authorization and is not covered by the AuthService. You may want to look into https://github.com/kubeflow/kubeflow/issues/4188 which tracks group support in Kubeflow.

Another option we may pursue in the future is to make this identity available to Istio as well and enable you to use Istio Authorization Policy for this issue. Closing this issue as authorization is something we'd like to keep out of the authservice.

rvirdiz commented 4 years ago

Thanks @yanniszark for the response. Will check if it is possible to achieve the same in dex. https://github.com/dexidp/dex/issues/1752