-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
request information when groups and offline_access scopes not supported #16
Comments
Hello, Quick answer, in the current implementation: No When the IDP does not support groups or roles, as they are not present in scopes_supported, it will not add the user groups in the JWT token response during the authentication phase and even the filter fails at startup time. In the same way, if the IDP does not supports the offline_access, it will reject the refresh token requests (also depends on the IDP implementation as some of them, even when the offline_access is omitted it accepts to refresh the token). Can you please, describe more the issue you are facing? Also, we can support working with an IDP which does not support a refresh token or for which the feature is disabled. To work seamlessly, we will suppose the IDP continually refreshes the user token to avoid user disconnection/re-authentication during navigation when the token expires. Also, the filter should redirect the user back to his current page (instead of the home page) during request for new access token. |
Hello Thanks for your reply. Firstly here is some technical information of the used IDP and from .well-known/openid-configuration:
My first issue is that the groups information are not retrieved. I will come back to the IDP provider to know if the groups information are available in the ID token or/and the access token. Once the user is authenticated, I have this message in the logs where we can see the groups is empty:
My second issue is with the refresh token, and I need to test it deeper. regards |
Ok, thanks. In fact, yes, you can check with the IDP provider if it's possible to add groups or roles in the client scope and assign users to these groups. For keycloak, for example, it's possible to enable the roles, groups or any custom claims by using Mappers. These claims then will be included in the JWT access token. |
Here is the reply of my IDP provider about groups: The groups information is return in the id_token and also in the access_token. https://idp_provider_address/oauth2/authorize?client_id=client_id&redirect_uri=https://spark-history-address/home&response_type=code&scope=openid+profile+email+groups |
OK, This can be done using the scope parameter or AUTH_SCOPE env variable env:
- name: AUTH_SCOPE
value: openid+profile+email+groups
.... |
I have already tested it, but I get this error because of the scope 'groups' not available in the supported groups of the IDP
|
Yes, actually the code enforces the check against the supported scopes reported by the IDP. Your IDP reports, via the discovery endpoint, it does not support the
I have published a v1.2.1 as a pre-release to remove the enforcement. You can download the jar from there, test and let us know if it works so that we can publish this version into maven central. |
I have tested with v1.2.1 and with AUTH_SCOPE="openid+profile+email+groups" I get a warning when the scope is not in the supported_scopes list:
and the groups information is retrieved once the user is authenticated:
|
I would like to know if it's possible to do the same for the scope offline_access |
The check was removed as well for the offline_access scope. What is the error you are getting when you add the scope?
|
I have also tested with After few hours, I get an error saying that the refresh token should not be null or blank:
|
Ok, have disabled the offline_access in case the IDP does not support it or disabled. |
@idirze : where can I find the new jar ? |
It's with the same name in the assets of the pre release https://github.com/OKDP/okdp-spark-auth-filter/releases/tag/v1.2.1 |
I have re-tested with v1.2.1 and with AUTH_SCOPE="openid+profile+email+groups++offline_access". I don't have anymore the error "The parameter <refresh_token> should not be null or blank", and it seems that the automatic re-authentication is working fine, without any action from the user. Here are the logs when the token expired:
Thanks @idirze for your support |
@SBatais, thank you for the feedback and feel free to rise any issue, contribution or any request information. You can download the 1.2.1 jar from there. So, i close the issue as resolved. |
…pported scopes and offline_access OKDP/okdp-spark-auth-filter#16
Hello
I would like to know if okdp-spark-auth-filter can work with an IDP that doesn't support the scope groups and offline_access (array "scopes_supported" in issuer-uri/.well-known/openid-configuration), and be able to get groups and the refresh token information from an access token returned by the IDP when the user is authenticated.
Thanks in advance for the reply.
The text was updated successfully, but these errors were encountered: