Bug 1762447

Summary: Option to include group / membership from external IdP into user's identity object
Product: OpenShift Container Platform Reporter: liangch
Component: apiserver-authAssignee: Stefan Schimanski <sttts>
Status: CLOSED DUPLICATE QA Contact: scheng
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, mfojtik, slaznick
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-18 08:50:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description liangch 2019-10-16 18:45:58 UTC 
Description of problem:
The identity API, /apis/user.openshift.io/v1/identities/$NAME, only preserves very limited user claims from external OpenID Connect Provider. We need user's group memberships from OpenId Connect provider for RBAC. In a use case that I use OAuth-Proxy for authentication, and propagate the oauth opaque access_token to the upstream application. The upstream application can either call identities API or tokenreviews API to find user ID, however it can not reach the group membership assigned in external openid connect provider (like keycloak or Azure). 

Version-Release number of selected component (if applicable):


How reproducible:
Invoke either 
/apis/user.openshift.io/v1/identities/$NAME or 
/apis/authentication.k8s.io/v1/tokenreviews


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
See groups from external identity providers

Additional info:
Comment 1 Standa Laznicka 2019-10-18 08:50:07 UTC 
There's an RFE for this functionality, feel free to reach out to Red Hat to increase its priority.

*** This bug has been marked as a duplicate of bug 1469173 ***