Description of problem: The identity API, /apis/user.openshift.io/v1/identities/$NAME, only preserves very limited user claims from external OpenID Connect Provider. We need user's group memberships from OpenId Connect provider for RBAC. In a use case that I use OAuth-Proxy for authentication, and propagate the oauth opaque access_token to the upstream application. The upstream application can either call identities API or tokenreviews API to find user ID, however it can not reach the group membership assigned in external openid connect provider (like keycloak or Azure). Version-Release number of selected component (if applicable): How reproducible: Invoke either /apis/user.openshift.io/v1/identities/$NAME or /apis/authentication.k8s.io/v1/tokenreviews Steps to Reproduce: 1. 2. 3. Actual results: Expected results: See groups from external identity providers Additional info:
There's an RFE for this functionality, feel free to reach out to Red Hat to increase its priority. *** This bug has been marked as a duplicate of bug 1469173 ***