Score:1

Indirect Group Membership with Keycloak and oauth2-proxy

ec flag

I'm using oauth2-proxy/oauth2-proxy with Keycloak-oidc provider for authentication for some pods in my Kubernetes cluster.

I can specify which groups are allowed to access a resource using the --allowed-group argument such as below

- --allowed-group="/vm-users/vm-editors/vm-admins"

Which restricts login to members of the vm-admins group.

But when I set it to /vm-users/vm-editors to login, I'm no longer allowed, as I have an indirect membership to vm-editors (It's set in FreeIPA, the user federation for keycloak, so that members of the vm-admins group are also members of the vm-editors group).

I've tried /vm-users/vm-editors, /vm-users/vm-editors*, /vm-users/vm-editors/*; none of which work.

Is there a way to handle implicit/indirect group membership in this instance?

karottenbunker avatar
in flag
did you ever get this working? I am facing the same issue
ec flag
@kaiffeetasse no, but I haven't looked into it in the past 12 months. Back then, I just switched to using Roles instead of groups and mapped the groups I needed to roles.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.