Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group-claim configuration parameter is ignored #5750

Open
taxone opened this issue Mar 26, 2024 · 0 comments
Open

group-claim configuration parameter is ignored #5750

taxone opened this issue Mar 26, 2024 · 0 comments
Assignees
@jvalkeal
Labels
status/need-triage Team needs to triage and take a first look

Comments

@taxone
Copy link

taxone commented Mar 26, 2024

Description:
SCDF supports OAuth 2.0 authentication and provides the Groups Mappings feature. It's possible to map group claims defined in the JWT token into server roles.
The JWT claim name used for retrieving the roles can defined using the property below

spring.cloud.dataflow.security.authorization.provider-role-mappings.<PROVIDER_ID>.group-claim

The property is ignored, in fact the claim name can be "roles" only.
In fact, analyzing and debugging the source code, I can see that the claim names are hard-code:

image

and the property org.springframework.cloud.common.security.ProviderRoleMapping.groupClaim is never used.

Release versions:

{"featureInfo":{"analyticsEnabled":true,"streamsEnabled":false,"tasksEnabled":true,"schedulesEnabled":true,"monitoringDashboardType":"NONE"},"versionInfo":{"implementation":{"name":"spring-cloud-dataflow-server","version":"2.11.1"},"core":{"name":"Spring Cloud Data Flow Core","version":"2.11.1"},"dashboard":{"name":"Spring Cloud Dataflow UI","version":"3.4.1"},"shell":{"name":"Spring Cloud Data Flow Shell","version":"2.11.1","url":"https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-dataflow-shell/2.11.1/spring-cloud-dataflow-shell-2.11.1.jar"}},"securityInfo":{"authenticationEnabled":true,"authenticated":true,"username":"claudiano3","roles":["ROLE_CREATE","ROLE_DEPLOY","ROLE_DESTROY","ROLE_MANAGE","ROLE_MODIFY","ROLE_SCHEDULE","ROLE_VIEW"]},"runtimeEnvironment":{"appDeployer":{"deployerImplementationVersion":null,"deployerName":null,"deployerSpiVersion":null,"javaVersion":null,"platformApiVersion":null,"platformClientVersion":null,"platformHostVersion":null,"platformSpecificInfo":{},"platformType":null,"springBootVersion":null,"springVersion":null},"taskLaunchers":[{"deployerImplementationVersion":"unknown","deployerName":"KubernetesTaskLauncher","deployerSpiVersion":"unknown","javaVersion":"11.0.19","platformApiVersion":"v1","platformClientVersion":"unknown","platformHostVersion":"unknown","platformSpecificInfo":{"namespace":"int-gpp-credem","master-url":"https://10.43.0.1:443/"},"platformType":"Kubernetes","springBootVersion":"2.7.16","springVersion":"5.3.30"}]},"monitoringDashboardInfo":{"url":"","refreshInterval":15,"dashboardType":"NONE","source":"default-scdf-source"},"_links":{"self":{"href":"https://scdf-int-gpp-credem.qlt-sispag.k8s.dev.int.master.lan/about"}}}

Steps to reproduce:
Launch SCDF using the configuration below:

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: dataflow
            client-secret: XXXXXXXXXXX
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
            scope:
            - openid
        provider:
          keycloak:
            jwk-set-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/certs
            token-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/token
            user-info-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username
            authorization-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/auth
      resourceserver:
        opaquetoken:
          introspection-uri: http://svi-gpp-gateway.svi-sispag.k8s.dev.int.master.lan/auth/realms/gpp/protocol/openid-connect/token/introspect
          client-id: dataflow
          client-secret: XXXXXXX
      authorization:
        check-token-access: isAuthenticated()
  cloud:
    dataflow:
      security:
        authorization:
          provider-role-mappings:
            keycloak:
              map-oauth-scopes: false
              group-claim: gpp_roles
              map-group-claims: true
              group-mappings:
                ROLE_VIEW: ADMINISTRATOR
                ROLE_CREATE: ADMINISTRATOR
                ROLE_MANAGE: ADMINISTRATOR
                ROLE_DEPLOY: ADMINISTRATOR
                ROLE_DESTROY: ADMINISTRATOR
                ROLE_MODIFY: ADMINISTRATOR
                ROLE_SCHEDULE: ADMINISTRATOR

Configure the Identity Provider returning a JWT token which contains this claim:

"gpp_roles": [
    "ADMINISTRATOR"
  ]

After a successful login, the user is redirected to the SCDF UI, but a 403 HTTP status code is returned.
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvalkeal jvalkeal

Labels
status/need-triage Team needs to triage and take a first look
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvalkeal @taxone