You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the oidc-groups-claim option is set to the value resource_access.my-oidc-client.roles and allowed-groups is set to admins, authentication should be successful.
Current Behaviour
With the setup described in expected behaviour, oauth2-proxy always redirects to 403 Forbidden.
Steps To Reproduce
Set oidc-groups-claim to a value that (a) contains at least one period and (b) at least one hyphen, for example resource_access.my-oidc-client.roles
Make sure allowed-groups is set to a value that is contained in the claim you defined in step (1)
Open an URL that is configured to use oauth2-proxy for authentication.
After the identity provider redirects you back to oauth-proxy2, you will see the 403 Forbidden page.
Possible Solutions
I assume that this bug was introduced as part of #1921.
The value of oidc-groups-claim must meet at least these conditions to fail authentication:
(a) It must be a JSON path with more than one level (i.e. it must contain a period)
(b) It must contain a hyphen (There might be more characters I am not aware of)
If the mentioned conditions are met, the call to jp.ParseString in
returns an error. As a result the claims string is interpreted as a literal string and not as JSON path anymore.
Currently, the workaround is not to use hyphens when you have a JSON path with more than one level.
I will try to implement a fix and submit a PR.
Configuration details or additional information
No response
The text was updated successfully, but these errors were encountered:
OAuth2-Proxy Version
7.6.0
Provider
oidc
Expected Behaviour
Assume that the following ID token is received by oauth2-proxy:
When the
oidc-groups-claim
option is set to the valueresource_access.my-oidc-client.roles
andallowed-groups
is set toadmins
, authentication should be successful.Current Behaviour
With the setup described in expected behaviour, oauth2-proxy always redirects to
403 Forbidden
.Steps To Reproduce
oidc-groups-claim
to a value that (a) contains at least one period and (b) at least one hyphen, for exampleresource_access.my-oidc-client.roles
allowed-groups
is set to a value that is contained in the claim you defined in step (1)403 Forbidden
page.Possible Solutions
I assume that this bug was introduced as part of #1921.
The value of
oidc-groups-claim
must meet at least these conditions to fail authentication:(a) It must be a JSON path with more than one level (i.e. it must contain a period)
(b) It must contain a hyphen (There might be more characters I am not aware of)
If the mentioned conditions are met, the call to
jp.ParseString
inoauth2-proxy/pkg/providers/util/claim_extractor.go
Line 146 in fc701bf
Currently, the workaround is not to use hyphens when you have a JSON path with more than one level.
I will try to implement a fix and submit a PR.
Configuration details or additional information
No response
The text was updated successfully, but these errors were encountered: