search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.61k stars 4.72k forks source link

JumCloud OIDC integration Unable to get groups from claims #20779

Closed ujala-singh closed 1 month ago

ujala-singh commented 1 month ago

How can we help you?

I have deployed harbor version v2.11.0 in kubernetes and integrated with JumpCloud (JumpCloud as an OIDC provider), Authentication works fine.

Integration with JumpCloud: https://jumpcloud.com/support/sso-with-oidc

JumpCloud's Groups authorization is not working in Harbor with OIDC integration.

In harbor core pod I see following logs -

2024-07-26T11:43:06Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:nc0_xaILAabfQvwLcNLA6A aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994184e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.721997786e+09 firstname:Ujala iat:1.721994186e+09 iss:https://oauth.id.jumpcloud.com/ jti:6041f69a-f470-4566-885a-b56e80756fbe lastname:Singh memberOf:Harbor Admin rat:1.721994178e+09 sid:20bf1d08-8ce5-4c0e-8d84-efd47752a90b sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T11:43:06Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994184e+09 email:ujala.singh@atlan.dev email_verified:true firstname:Ujala iat:1.721994185e+09 iss:https://oauth.id.jumpcloud.com/ lastname:Singh memberOf:Harbor Admin rat:1.721994178e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T11:44:51Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:FPW3U40sJkdKCXF5SZa-AA aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994289e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.721997891e+09 fullname:Ujala Singh iat:1.721994291e+09 iss:https://oauth.id.jumpcloud.com/ jti:9c7f5c95-3d97-4efa-be37-2b63ecabf57f memberOf:Harbor Admin rat:1.721994287e+09 sid:edfe2530-6060-4bea-a5ef-3e8eb9209d4e sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T11:44:51Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994289e+09 email:ujala.singh@atlan.dev email_verified:true fullname:Ujala Singh iat:1.72199429e+09 iss:https://oauth.id.jumpcloud.com/ memberOf:Harbor Admin rat:1.721994287e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T11:46:26Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:0PEpDUMFTJFKtoB8AIyocA aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994384e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.721997986e+09 fullname:Ujala Singh iat:1.721994386e+09 iss:https://oauth.id.jumpcloud.com/ jti:6d2aea7e-80ba-4361-8367-c633a64b2f15 memberOf:Harbor Admin rat:1.721994382e+09 sid:8955fe65-ec5e-48ad-9b70-1ca7101bab62 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T11:46:26Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721994384e+09 email:ujala.singh@atlan.dev email_verified:true fullname:Ujala Singh iat:1.721994385e+09 iss:https://oauth.id.jumpcloud.com/ memberOf:Harbor Admin rat:1.721994382e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-26T12:00:19Z [INFO] [/pkg/task/dao/execution.go:507]: scanned out 2 executions with outdate status, refresh status to db
2024-07-26T12:00:19Z [INFO] [/pkg/task/dao/execution.go:548]: refresh outdate execution status done, 2 succeed, 0 failed
2024-07-26T12:05:34Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:QC925t-HgqUFvJSQCugZMw aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721995532e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.721999134e+09 fullname:Ujala Singh iat:1.721995534e+09 iss:https://oauth.id.jumpcloud.com/ jti:e7d1e5c6-05c3-488a-9e90-64d89de35257 memberOf:Harbor Admin rat:1.721995528e+09 sid:170cdb54-0cd3-47b2-b298-c03cda8f4b83 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: memberOf
2024-07-26T12:05:34Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.721995532e+09 email:ujala.singh@atlan.dev email_verified:true fullname:Ujala Singh iat:1.721995533e+09 iss:https://oauth.id.jumpcloud.com/ memberOf:Harbor Admin rat:1.721995528e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: memberOf

How OIDC configuration looks like in harbor

Screenshot 2024-07-26 at 9 56 12 PM

Please let me know in case any further information is needed?

Kajot-dev commented 1 month ago

This is misconfiguration on your side. Harbor expects groups to be in the "groups" claim (this is configurable) but there is none. Judging by the logs you should set the groups claim name in harbor settings to "memberOf"

Kajot-dev commented 1 month ago

And groups claim should be a list. Can you provide raw JSON of the claim without the secret values

ujala-singh commented 1 month ago

I tried with this harbor config:

Screenshot 2024-07-27 at 10 25 04 PM

Below is my OIDC Config on JumpCloud:

Screenshot 2024-07-27 at 10 27 10 PM

If keep group attribute as memberOf, it fails with the below error:

2024-07-27T16:53:57Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:2hjz6ZvGBNOhUIKVjKstNQ aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.722099234e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.722102837e+09 fullname:Ujala Singh iat:1.722099237e+09 iss:https://oauth.id.jumpcloud.com/ jti:2df8caa0-f27d-4ac6-8279-d3ef0bc874a1 memberOf:Harbor Admin rat:1.722099227e+09 sid:d86086f0-a14e-49de-aae1-204341795a2c sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-27T16:53:57Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.722099234e+09 email:ujala.singh@atlan.dev email_verified:true fullname:Ujala Singh iat:1.722099236e+09 iss:https://oauth.id.jumpcloud.com/ memberOf:Harbor Admin rat:1.722099227e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups

And if I keep group attribute as groups, even Authentication is failing:

2024-07-27T16:47:43Z [ERROR] [/lib/http/error.go:57]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"json: cannot unmarshal string into Go struct field UserInfo.groups of type []string"}]}

On Jumpcloud side I have created four groups same as on Harbor mentioned below:

Screenshot 2024-07-26 at 10 11 21 PM

As soon as I assign user to any of these group on the JumCloud side it passes its value in the group attribute in the request.

Kajot-dev commented 1 month ago

In the first image (harbor settings) you have "groups" as groups claim in the Harbor settings.

In the second image (sso settings) you have "memberOf" as the groups claim.

These values must match.

Kajot-dev commented 1 month ago

About the go error: Harbor expects grups claim to be a list of strings (since user may belong to 0..n grouls), but the sso only provides a single string attribute.

ujala-singh commented 1 month ago

I made it work by ensuring the user is associated with at least two groups on the JumpCloud OIDC Provider side. This is because JumpCloud does not translate the groups attribute as a list when the user is part of only a single group in the Harbor application.