search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.42k stars 661 forks source link

Problem with OIDC groups mapping, 0.25.1 #1908

Closed artemnikitin2023 closed 3 months ago

artemnikitin2023 commented 3 months ago

Hello.

I'm trying to use akhq via oidc (dex). The username mapping works fine, but the groups mapping is not working at all. Looks like akhq just ignores the groups field. akhq version is 0.25.1 (docker image). Please help.

Here is the akhq security config:

configuration:
  logger:
    levels:
      io.micronaut.security: TRACE
  micronaut:
    security:
      enabled: true
      oauth2:
        enabled: true
        clients:
          dex:
            client-id: "akhq"
            client-secret: "SECRET"
            openid:
              issuer: "https://dex.somedomain.com/"
      token:
        jwt:
          signatures:
            secret:
              generator:
                secret: "SOMESECRETKEY"
  akhq:
    server:
      access-log:
        enabled: true
        name: org.akhq.log.access
    security:
      default-group: no-group
      oidc:
        enabled: true
        providers:
          dex:
            label: "Login"
            username-field: preferred_username
            groups-field: groups
            default-group: reader
            groups:
              - name: "target-group"
                groups:
                  - admin

The dex respose is:

{
  "iss": "https://dex.somedomain.com/",
  "sub": "XXXXXXXXX",
  "aud": "akhq",
  "exp": 1234567890,
  "iat": 1234567890,
  "at_hash": "XXXXXXXXXXX",
  "c_hash": "XXXXXXXXXXXXXX",
  "email": "someuser@somedomain.com",
  "email_verified": true,
  "groups": [
    "target-group"
  ],
  "name": "Some User",
  "preferred_username": "someuser"
}
artemnikitin2023 commented 3 months ago

The problem was that micronaut not requesting groups scope, adding it in config file rsolved the issue.

carlosfwrk commented 2 months ago

Hi @artemnikitin2023, I have a similar error but I don't understand how did you solve the issue. Could you explain how can I add it in config file? Which config file? Thanks.

artemnikitin2023 commented 2 months ago

Hi. Here is working part of the configuration, the micronaut block:

micronaut: security: enabled: true oauth2: enabled: true clients: dex: client-id: client-secret: openid: issuer: scopes:

  • profile
  • email
  • openid
  • groups

Also dex must be configured to inject groups claim into te oauth token.