authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

OIDC group scope? Harbor

Open badsmoke opened this issue 3 years ago • 4 comments

Hello,

i am pretty new to the saml/oidc/ldap material

i am currently testing with authentik, 2022.8.2 and harbor 2.6.0

i would like to have the groups i have in authentik also available in harbor, what do i have to create for this? i assume that i can adapt this for portainer and rancher for example?

thanks already

badsmoke avatar Sep 06 '22 12:09 badsmoke

The screenshot in the harbor documentation is a bit outdated, you dont have to create anything for this you can just set the groups claim to groups

BeryJu avatar Sep 06 '22 12:09 BeryJu

thanks, don't i have to create another group scope on the authentics page?

in the harbor at least it does not look like it would work

badsmoke avatar Sep 08 '22 12:09 badsmoke

No, the groups claim is included in the default profile scope, see https://github.com/goauthentik/authentik/blob/main/blueprints/system/providers-oauth2.yaml#L47

BeryJu avatar Sep 08 '22 12:09 BeryJu

ah cool thanks.

should I automatically see something in the harbor?

i have for example the group maintainer, with a user test.

but in the harbor this group does not exist automatically, and when i add it manually the user test still does not have access.

badsmoke avatar Sep 08 '22 13:09 badsmoke

everything works now, I just forgot to set the "group claim name"

but the groups are only set when someone has logged in with the corresponding group?

badsmoke avatar Sep 29 '22 06:09 badsmoke

What do you mean with has logged in with the corresponding group?

BeryJu avatar Sep 29 '22 08:09 BeryJu

Due to the way OIDC works the Groups are only provisioned when the user logs in. I don't know if Harbor has support for something like SCIM or supports OIDC and LDAP at the same time, but that would solve this issue.

BeryJu avatar Apr 04 '24 16:04 BeryJu