halyard icon indicating copy to clipboard operation
halyard copied to clipboard

Published 20 hours ago verified publisher icon spinnaker

fix(oauth2): add roles to user info mapping

Open estebangarcia opened this issue 3 years ago • 2 comments

When using an "OTHER" oauth2 provider we need to specify the user roles mapping field.

Gate supports this but halyard doesn't so it has to be configured with a profile file.

estebangarcia avatar Jul 23 '21 12:07 estebangarcia

Any updates? There is still no option to pass roles through Oauth2...

VayshaYsno avatar Mar 08 '24 08:03 VayshaYsno

Found a solution! Spinnaker allows you to override it's configuration through *-local.yml files. All you have to do is to configure connection part in config, but userInfoMapping and scope in gate-local.yml, like this:

config:
   security:
      authn:
         oauth2:
            enabled: true
            client:
               clientId: XXXXXX
               clientSecret: XXXXXXXX
               accessTokenUri: XXXXXXX
               userAuthorizationUri: XXXXXXX
            resource:
               userInfoUri: XXXXXX
            userInfoMapping: {}
            provider: OTHER

And this part in gate-local.yml:

security:
   oauth2:
      userInfoMapping:
         email: email
         firstName: given_name
         lastName: family_name
         username: username
         roles: groups
      client:
         scope: opened,email,profile,groups

And if you will login, and check your Spinnaker Api like this: https://domain-of-api.example/auth/user, you will see that roles: are passed successfully now!

Note, that your mappers can be different of described above. I used to do it with k8s and Keycloak as OpenID idp. Hope it will be helpful for someone!

VayshaYsno avatar Mar 08 '24 10:03 VayshaYsno