Open czhou-brex opened 1 month ago
AlexanderYastrebov
commented
1 month ago Hello.
There is a -oauth2-tokeninfo-subject-key flag:
https://github.com/zalando/skipper/blob/bd87e31f76fbbf400aaeb4f7a345e277df8f0028/config/config.go#L497
Could you please try -oauth2-tokeninfo-subject-key=sub (or nickname or email) and see if it helps?
AlexanderYastrebov
commented
1 month ago I also think this
https://github.com/zalando/skipper/blob/bd87e31f76fbbf400aaeb4f7a345e277df8f0028/filters/auth/grant.go#L166
should be set only when TokeninfoSubjectKey is not empty
https://github.com/zalando/skipper/blob/bd87e31f76fbbf400aaeb4f7a345e277df8f0028/filters/auth/grant.go#L158-L164
such that existing sub claim is not overwritten when -oauth2-tokeninfo-subject-key=''
czhou-brex
commented
1 month ago Hello.
There is a
-oauth2-tokeninfo-subject-keyflag:Could you please try
-oauth2-tokeninfo-subject-key=sub(ornicknameor
Yes, this worked with the Okta GET /userinfo endpoint.
Describe the bug The OAuthgrant filter requires a tokeninfo URL which is only called by a GET request. However some IDPs like Okta have already deprecated this call. Specifically it looks for a uid field and it it fails, it will do a redirect. This leads to a redirect loop.
Using the GET /userinfo does not resolve this issue, as in Okta's case specifically the uid field does not exist in GET /userinfo. https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/userinfo
To Reproduce
oauth.eskip file
dashboard: * -> oauthGrant() -> inlineContent("It works!") -> <shunt>;Expected behavior
Observed behavior
Failed to create token container: tokeninfo subject key 'uid' is missing.I think it should not rely on the uid field and work with GET /userinfo like the oidc filter.