Open phuc-nguyen2-ts opened 8 months ago
Hi @phuc-nguyen2-ts , I have the same error that you indicate, I have the OIDC configuration for Google and when I try to log in it takes me back to the home page
This happens because for me it cannot validate that the user who logs in belongs to the Google group, which is what the application would have to do, try to log in to Google and see if the user who logged in belongs to the XXX group that one indicate and then give them the roles in the app with the akhq group
akhq:
security:
oidc:
enabled: true
providers:
oidc:
label: "Login with Google"
username-field: email
groups-field: roles
default-group: no-roles
groups:
- name: devops
groups:
- admin
I do not generate any group or role, I only use the default group "admin"
If I change the default-group: no-roles to default-group: reader or default-group: admin, the login works but it is not what I want because precisely by not being able to validate the group, it is assigned a default admin or reader role, when You configure non-roles exactly as the config says, you make the user have to authenticate yes or yes but it doesn't work and it takes you back to the login, which is why I said before that it doesn't validate the groups in Google
@tchiotludo & @AlexisSouquiere I understand that everyone has this type of error and the documentation on the site is more I don't know if it is correct for version 0.24 since on the page you have a config and at https://github.com/tchiotludo/akhq/blob/ 0.24.0/application.example.yml you have other configs for example in "# Auth & Roles (optional)"
There is something wrong in the docu to make akhq validate that a user is in a Google group and if so, assign the corresponding permission; In my case it would be that if the user is in the "devops" group of Google then I assign him the permission of the admin group?
Google OIDC does not send the groups in its response and it is not supported, for example DEX has solved this and ArgoCD uses it, https://dexidp.io/docs/connectors/google/ I don't know how you have it implemented in AKHQ but with only the login response or with the JWT it will not work because it does not come with it https://developers.google.com/identity/openid-connect/openid-connect?hl=es-419
After logging in, they would have to go check another Google API if the user belongs to the group.
as @fedeostrit mentioned an extra api call is needed to fetch groups. Would it be possible to add support for google groups fetching via google groups directory api? it's done via extra service account @tchiotludo
it's a common use case...
thanks
I deploy akhq onto my K8s cluster via Helm chart this is my config for the Google OAuth2 method
I don't know where I configured wrong but I always get redirected to login page, please correct me!!! I use the latest version: 0.24.0