dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Empty groups in github connector

Open morgoved opened this issue 4 years ago • 6 comments

  • Dex version:v2.26.0
  • Storage type:
  • Installation type (official docker image, helm chart, etc.): argocd

i created ord oauth app in org, created team, added users in team. But

can't get groups "login successful: connector "github", username="morgoved", preferred_username="morgoved", email="[email protected]", groups=[]"

dex.config: |
  connectors:
    - type: github
      id: github
      name: GitHub
      config:
        clientID: 91c7a1561f9c832a85f9
        clientSecret: $dex.github.clientSecret
      org: orgname
      loadAllGroups: true

tried use orgs: - name: orgname teams: - admin and had the same result. how i can fix it?

morgoved avatar May 12 '21 15:05 morgoved

Hello! I assume that you missed the groups scope. Could you ensure that you send it? Sending this scope to the auth endpoint is mandatory to get non-empty groups array in an id token.

You can found documentation about scopes here https://dexidp.io/docs/custom-scopes-claims-clients/#scopes

nabokihms avatar May 12 '21 18:05 nabokihms

@nabokihms Please, I have checked the documentation about scope, but I don't know how to send scope ??

ihalloum avatar Aug 17 '21 08:08 ihalloum

@ihalloum You can find the scope configuration docs here: https://dexidp.io/docs/connectors/oidc/#configuration

demonkoryu avatar May 23 '22 20:05 demonkoryu

I am having this issue too and I have included scopes: ["groups"] in my config

If I use the following dex config I can log in. It is worth noting I'm using argocd which by default sets scope to ["groups"] in the rbac-cm configmap

connectors:
- type: github
  id: github
  name: Github
  config:
    clientID: id
    clientSecret: secret
    loadAllGroups: false
    useLoginAsID: true 
    orgs:
    - name: myorg

However dex shows I have no group claims:

time="2023-02-17T16:23:53Z" level=info msg="login successful: connector \"github\", username=\"sam\", preferred_username=\"sam\", email=\"sam@myorg\", groups=[]"

I am expecting to see something like groups=['myorg:engineering','myorg:admin']

So when I try a dex config specifying a team in myorg it fails to authenticate since the group claim is empty

connectors:
- type: github
  id: github
  name: Github
  config:
    clientID: id
    clientSecret: secret
    scopes: ["groups"]
    teamNameField: slug
    useLoginAsID: true
    orgs:
    - name: myorg
      teams:
      - engineering
      - admin

time="2023-02-17T15:35:44Z" level=info msg="github: user \"sam\" in org \"myorg\" but no teams"
time="2023-02-17T15:35:44Z" level=error msg="Failed to authenticate: github: user \"sam\" not in required orgs or teams"

dex version is v2.35.3-dirty

sylv-sam avatar Feb 17 '23 16:02 sylv-sam

I finally figured out what was causing this issue for me. It was a mismatch of cases between the org name in github "MyOrg" vs the org name I passed in my dex config "myorg". By changing the dex config value to be "MyOrg" it worked. This is the final config which works

connectors:
- type: github
  id: github
  name: Github
  config:
    clientID: id
    clientSecret: secret
    teamNameField: slug
    useLoginAsID: true
    orgs:
    - name: MyOrg
      teams:
      - engineering
      - admin

sylv-sam avatar Jun 01 '23 11:06 sylv-sam