Could not parse Username claim

[david-curran-90]

Gangway version: 3.2.0 Dex version: 2.19.0

I am using the LDAP connector in Gangway and am getting the error

Could not parse Username claim

upon successful authentication. Below is the ConfigMap I'm using

Name:         gangway
Namespace:    auth
Labels:       app.kubernetes.io/instance=gangway
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=gangway
              helm.sh/chart=gangway-0.4.0
Annotations:  <none>

Data
====
gangway.yaml:
----
apiServerURL: https://api.mydomain.com:6443
audience: https://dex.mydomain.com/userinfo
authorizeURL: https://dex.mydomain.com/auth
clientID: ldapauth
clientSecret: ******************
clusterName: k8s
port: 8080
redirectURL: https://gangway.mydomain.com/callback
scopes:
- openid
- profile
- email
- offline_access
sessionKey: ************************
tokenURL: https://dex.mydomain.com/token
trustedCAPath: /etc/gangway/dex.ca
usernameClaim: SamAccountName

Events:  <none>

My Dex config

storage:
  config:
    inCluster: true
  type: kubernetes
logger:
  level: debug
web:
  http: 0.0.0.0:5556
connectors:
- config:
    bindDN: DC=mydomain,DC=com
    bindPW: *****************
    clientID: ldapauth
    clientSecret: ******************
    groupSearch:
      baseDN: DC=mydomain,DC=com
      filter: (objectClass=group)
      groupAttr: member
      nameAttr: cn
      userAttr: SamAccountName
    host: mydomain.com:636
    insecureNoSSL: false
    insecureSkipVerify: true
    userSearch:
      baseDN: DC=mydomain,DC=com
      emailAttr: mail
      filter: (objectClass=person)
      idAttr: userPrincipalName
      nameAttr: name
      username: SamAccountName
    usernamePrompt: Username
  id: ldap
  name: LDAP
  type: ldap
oauth2:
  alwaysShowLoginScreen: false
  skipApprovalScreen: true
staticClients:
- id: ldapauth
  name: oidc-auth-client
  redirectURIs:
  - https://gangway.mydomain.com/callback
  secret: *************************
enablePasswordDB: false

Not really sure what values I should use for the different attributes but these ones don't give any errors like others do.

Not very helpful but here's the logs too

time="2020-01-10T15:22:25Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2020-01-10T15:25:39Z" level=info msg="performing ldap search DC=mydomain,DC=com sub (&(objectClass=person)(SamAccountName=schizoid90))"
time="2020-01-10T15:25:39Z" level=info msg="username \"schizoid90\" mapped to entry CN=Firstname Lastname,OU=Development,OU=Departments,DC=mydomain,DC=com"
time="2020-01-10T15:25:39Z" level=info msg="login successful: connector \"ldap\", username=\"Firstname Lastname\", email=\"firstname.lastname@mydomain.com\", groups=[]"
time="2020-01-10T15:27:25Z" level=info msg="garbage collection run, delete auth requests=0, auth codes=2"

...
time="2020-01-10T15:25:31Z" level=info msg="GET / 10.244.3.1:47582"
time="2020-01-10T15:25:33Z" level=info msg="GET / 10.244.3.3:50846"
time="2020-01-10T15:25:33Z" level=info msg="GET /js/materialize.js 10.244.3.3:50846"
time="2020-01-10T15:25:33Z" level=info msg="GET /js/init.js 10.244.3.3:50846"
time="2020-01-10T15:25:33Z" level=info msg="GET /favicon.ico 10.244.3.3:50846"
time="2020-01-10T15:25:34Z" level=info msg="GET /login 10.244.3.3:50846"
time="2020-01-10T15:25:39Z" level=info msg="GET /callback?code=fdasfdsat43tge45sggs4t334g&state=lPxBUANY%2FCPV3xmj7sihCjj%2BFDB0FXznGMFethv9CQY%3D 10.244.3.3:50846"
time="2020-01-10T15:25:39Z" level=info msg="GET /favicon.ico 10.244.3.3:50846"
time="2020-01-10T15:25:39Z" level=info msg="GET /favicon.ico 10.244.3.3:50846"
...

[johnharris85]

I think in your gangway config you need to change usernameClaim: SamAccountName. The value needs to be one of the claims in your JWT token that's returned. Common values might be name, email, sub etc...

[david-curran-90]

Thanks @johnharris85, that's sorted it