(question): Pomerium->Dex->Auth0 groups ?

[lukasmrtvy]

I need little help with integrating Pomerium->Dex->Auth0 with groups support.

Dex config:

- type: oidc
  id: auth0
  name: Auth0
  config:
    issuer: https://<redacted>.eu.auth0.com/
    clientID: <redacted>
    clientSecret: <redacted>
    redirectURI: https://dex.<redacted>/callback
    scopes:
    - openid
    - profile
    - email
    claimMapping:
      groups: 'https://example.com/claims/groups'
      preferred_username: email
    getUserInfo: true

Auth0 rule snippet:

function (user, context, callback) {
  var namespace = 'https://example.com/claims/'; 
  context.idToken[namespace + "groups"] = user.groups;
  callback(null, user, context);
}

Pomerium config:

provider: oidc
url: https://dex.<redacted>
clientID: pomerium
clientSecret: <redacted>
scopes:
- openid
- profile
- email
- groups
policy:
  - from: https://whoami.<redacted>
    to: https://whoami.<redacted>
    allowed_idp_claims:
      groups:
      - admins

Latest pomerium/pomerium:master image implements allowed_idp_claims (pomerium/pomerium#1542)

But seems that group, nor preferred_username values are not claimed. Any idea why ?

[nabokihms]

The problem with groups is, at first glance, that to get them from a provider you need to enable insecureEnableGroups option in Dex (even using claimMapping).

Could you please provide dex logs during authentication? I feel like I am able to help you.

[lukasmrtvy]

@nabokihms thanks.

Here is log from dex ( including insecureEnableGroups ):

{"level":"info","msg":"config storage: kubernetes","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: pomerium","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: argocd","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config static client: gitlab","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config connector: auth0","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config connector: local passwords enabled","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"config skipping approval screen","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"listening (http/telemetry) on 0.0.0.0:5558","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"listening (http) on 0.0.0.0:5556","time":"2020-10-31T17:53:29Z"}
{"level":"info","msg":"login successful: connector \"auth0\", username=\"John Doe\", preferred_username=\"\", email=\"john.doe@gmail.com\", groups=[]","time":"2020-10-31T17:58:06Z"}

[nabokihms]

Looks strange. On my test stand, using provided dex settings for auth0 provider, logs look like:

{"level":"info","msg":"login successful: connector \"auth0-oidc\", username=\"ma****@flant.com\", preferred_username=\"ma****@flant.com\", email=\"ma****@flant.com\", groups=[\"admins\" \"everyone\"]","time":"2020-10-31T21:51:04Z"}

The only difference I made was in the auth0 rule.

function (user, context, callback) {
  var namespace = 'https://example.com/claims/'; 

  context.idToken[namespace + "groups"] = ["admins", "everyone"];
  console.log(context);

  callback(null, user, context);
}

It leaves us two possible reasons:

1. Please make sure you are using the latest dex version (I tested it with official docker image quay.io/dexidp/dex:v2.25.0).
2. It might be something with the auth0 configuration (rules, settings, etc), but I don't understand why the preferred_username claim is empty in this case.

[lukasmrtvy]

Sorry, my mistake 🤦‍♂️ , dex helm chart 2.15.0 does not use latest version of dex image 2.25.0, where is support in oidc connector
( #1634 ) included.
It is working ok with 2.25.0 .
Thanks !

[sagikazarmark]

is this issue resolved then?