Hi -
Thank you for your question.
You are correct in that neither roles nor groups are included in the JWT
token for KNOXSSO or KNOXTOKEN services.
I believe we are adding (or may have already added an option) to request
groups as well but there is nothing for roles.
The separation of authentication and group lookup is pretty common
throughout the Hadoop ecosystem as you may have noticed.
Knox being a trusted proxyuser in that ecosystem by definition asserts the
identity of the authenticated user to the backend service when we are
proxying access to it.
There is nothing in the proxyuser contract for propagating the group
memberships.
Group lookup is always done closest to the resource being accessed.
Therefore, we only assert the authenticated user name in the JWT as well.
The service consuming the JWT is obligated to determine the groups that are
relevant for that user principal within the operating environment.
Note that these may be completely different groups than those available
from the original IDP.
If you provide more details around what you are trying to do, we may be
able to provide direction to get the groups that are expected from the
operating environment.
Roles are not something that we can do with existing code however.
Hope that is helpful!
--larry
On Sat, Sep 24, 2022 at 4:46 AM Malthe <mbo...@gmail.com> wrote:
> When using pac4j with OIDC, I am able to see groups and/or roles in the
> log:
>
> 2022-09-24 10:25:06,600 DEBUG filter.Pac4jIdentityAdapter
> (Pac4jIdentityAdapter.java:doFilter(92)) - User authenticated as:
> #OidcProfile# | id: [REDACTED] | attributes: {sub=[REDACTED],
> amr=["pwd"], roles=["My role"],
> iss=https://sts.windows.net/[REDACTED]/, oid=[REDACTED],
> preferred_username=[REDACTED], tid=[REDACTED], ipaddr=[REDACTED],
> exp=Sat Sep 24 11:25:05 CEST 2022, iat=Sat Sep 24 10:20:05 CEST 2022,
> email=[REDACTED], ver=1.0, groups=["[\"group1\",\"group2\"]"],
> uti=[REDACTED], given_name=[REDACTED], token_expiration_advance=-1,
> aud=[[REDACTED]], unique_name=[REDACTED], nbf=Sat Sep 24 10:20:05 CEST
> 2022, idp=live.com, rh=[REDACTED], name=[REDACTED], expiration=Sat Sep
> 24 11:25:04 CEST 2022, family_name=[REDACTED]} | roles: [] |
> permissions: [] | isRemembered: false | clientName: OidcClient |
> linkedId: null |
>
> In the above, notice that the middle part contains values for "roles"
> and "groups".
>
> Now, neither of those are written into the JWT (hadoop-jwt) cookie.
>
> The JWT payload:
>
> {
> "sub": "[REDACTED]",
> "kid": "[REDACTED]",
> "iss": "KNOXSSO",
> "exp": 1664094307,
> "managed.token": "false",
> "knox.id": "[REDACTED]"
> }
>
> This happens even though I have:
>
> pac4j.session.store.exclude.groups=false
> pac4j.session.store.exclude.roles=false
>
> Are groups and/or roles not supposed to be written into the JWT with
> these settings?
>
> Cheers
>
