Closed ujala-singh closed 1 month ago
This is misconfiguration on your side. Harbor expects groups to be in the "groups" claim (this is configurable) but there is none. Judging by the logs you should set the groups claim name in harbor settings to "memberOf"
And groups claim should be a list. Can you provide raw JSON of the claim without the secret values
I tried with this harbor config:
Below is my OIDC Config on JumpCloud:
If keep group attribute as memberOf, it fails with the below error:
2024-07-27T16:53:57Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[at_hash:2hjz6ZvGBNOhUIKVjKstNQ aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.722099234e+09 email:ujala.singh@atlan.dev email_verified:true exp:1.722102837e+09 fullname:Ujala Singh iat:1.722099237e+09 iss:https://oauth.id.jumpcloud.com/ jti:2df8caa0-f27d-4ac6-8279-d3ef0bc874a1 memberOf:Harbor Admin rat:1.722099227e+09 sid:d86086f0-a14e-49de-aae1-204341795a2c sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
2024-07-27T16:53:57Z [WARNING] [/pkg/oidc/helper.go:394]: Unable to get groups from claims, claims: map[aud:[4ff122de-428e-48c8-a4f7-d4f6b11c71a6] auth_time:1.722099234e+09 email:ujala.singh@atlan.dev email_verified:true fullname:Ujala Singh iat:1.722099236e+09 iss:https://oauth.id.jumpcloud.com/ memberOf:Harbor Admin rat:1.722099227e+09 sub:66a38039458be7b3dbb27541 username:ujala.singh], groups claims key: groups
And if I keep group attribute as groups, even Authentication is failing:
2024-07-27T16:47:43Z [ERROR] [/lib/http/error.go:57]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"json: cannot unmarshal string into Go struct field UserInfo.groups of type []string"}]}
On Jumpcloud side I have created four groups same as on Harbor mentioned below:
As soon as I assign user to any of these group on the JumCloud side it passes its value in the group attribute in the request.
In the first image (harbor settings) you have "groups" as groups claim in the Harbor settings.
In the second image (sso settings) you have "memberOf" as the groups claim.
These values must match.
About the go error: Harbor expects grups claim to be a list of strings (since user may belong to 0..n grouls), but the sso only provides a single string attribute.
I made it work by ensuring the user is associated with at least two groups on the JumpCloud OIDC Provider side. This is because JumpCloud does not translate the groups attribute as a list when the user is part of only a single group in the Harbor application.
How can we help you?
I have deployed harbor version v2.11.0 in kubernetes and integrated with JumpCloud (JumpCloud as an OIDC provider), Authentication works fine.
Integration with JumpCloud: https://jumpcloud.com/support/sso-with-oidc
JumpCloud's Groups authorization is not working in Harbor with OIDC integration.
In harbor core pod I see following logs -
How OIDC configuration looks like in harbor
Please let me know in case any further information is needed?