goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.05k stars 4.75k forks source link

can't use group members with OIDC Google #20719

Open fatsolko opened 3 months ago

fatsolko commented 3 months ago

I create OIDCauthentication with Googleand add user in Google to group devops image After adding group member to project I expected user to have access to project docker. image image but it doesn't work, I only see the public project image UPD: log when I set Group Claim Name groups 2024-07-10T07:10:23Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[email:some@py.com email_verified:true family_name:some given_name:some hd:py.com name:some picture:https://lh3.googleusercontent.com/a/ACg8ocKi_Ub65nJIOAbVEu3AUSNWpEC7pHeI=s96-c sub:11286363274952], groups claims key: groups

What am I doing wrong?

fatsolko commented 3 months ago

I think the main problem is not being able to get groups from Google account. I don't know which scope should work and how to add that scope to the Harbor.

stonezdj commented 3 months ago

You should set the Group Claim Name

Group Claim Name: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor.

see: https://goharbor.io/docs/edge/administration/configure-authentication/oidc-auth/#configure-an-oidc-provider-in-harbor

fatsolko commented 3 months ago

You should set the Group Claim Name

Group Claim Name: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor.

see: https://goharbor.io/docs/edge/administration/configure-authentication/oidc-auth/#configure-an-oidc-provider-in-harbor

yes, but google does not provide group scope info for example: there is log when I set Group Claim Name groups 2024-07-10T07:10:23Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[email:some@py.com email_verified:true family_name:some given_name:some hd:py.com name:some picture:https://lh3.googleusercontent.com/a/ACg8ocKi_Ub65nJIOAbVEu3AUSNWpEC7pHeI=s96-c sub:11286363274952], groups claims key: groups

github-actions[bot] commented 1 month ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

mmonaco commented 1 month ago

I think you have three problems:

  1. You'd want the full group name: devops@????.
  2. The scope should have https://www.googleapis.com/auth/cloud-identity.groups.readonly
  3. Discussed in https://github.com/goharbor/harbor/issues/13609, support for google groups seems to be broken in Harbor, possibly because scopes that are a full URL (instead of a simple string) are broken.
webertrlz commented 1 month ago

This is a real, old issue, is there any expectation to fix it?