Manage permission for OIDC users with keycloak

tony.jarriault · April 6, 2022, 12:43am

Hi,
I connect boundary with keycloack. Connections seem OK. Even i have no permission for my users to connect on projects

It seems as if users from managed groups dont’ get any role grants.

###############
JWT Token for my user :
{
“exp”: xx,
“iat”: xx,
“jti”: “xx”,
“iss”: “https://keycloak3.NDD/auth/realms/boundary”,
“aud”: [
“boundary”,
“account”
],
“sub”: “3b496e3c-ef-13cf2d4abd97”,
“typ”: “Bearer”,
“azp”: “boundary”,
…
“resource_access”: {
“boundary”: {
“roles”: [
“orgadmin”
]
},
“boundary”: {
“roles”: [
“orgadmin”
]
}
},
“scope”: “profile email”,
“sid”: “baf19bxxxxx398-c1a4bb4184e5”,
“email_verified”: true,
“name”: “test fake name”,
“preferred_username”: “test”,
“given_name”: “test”,
“family_name”: “fake name”,
“email”: “test@test.fr”
}

###############
TERRAFORM script oidc.tf

resource “boundary_auth_method_oidc” “this” {
name = “keycloak Devoxx”
scope_id = boundary_scope.org.id
state = “active-public”
is_primary_for_scope = true
callback_url = “${var.url}/v1/auth-methods/oidc:authenticate:callback”
issuer = var.issuer
client_id = var.client_id
client_secret = var.client_secret
allowed_audiences = [
var.client_id
]
signing_algorithms = [“RS256”]
api_url_prefix = var.url
}

resource “boundary_managed_group” “app_users” {
name = “group-app-user”
description = “App Users”
auth_method_id = boundary_auth_method_oidc.this.id
filter = ““orgadmin” in “/token/resource_access/boundary.roles””
}

Permission for Orga level

resource “boundary_role” “global_oidc” {
name = “global_oidc_admin devoxx”
description = “global oidc admin devoxx”
principal_ids = [boundary_managed_group.app_users.id]
grant_strings = [“id=;type=;actions=*”]
scope_id = boundary_scope.org.id
}

Permission for project

resource “boundary_role” “global_oidc_group1” {
name = “global_oidc_admin group1 orga level”
description = “global oidc admin group1 orga level”
principal_ids = [boundary_managed_group.app_users.id]
grant_strings = [“id=;type=;actions=*”]
scope_id = boundary_scope.org.id
grant_scope_id = boundary_scope.core_group1.id
}

###############

Account properites

boundary accounts read -id=acctoidc_CVV1JBdcZO

Account information:
Auth Method ID: amoidc_WP2F4Zz5RI
Created Time: Tue, 05 Apr 2022 23:33:06 UTC
ID: acctoidc_CVV1JBdcZO
Type: oidc
Updated Time: Wed, 06 Apr 2022 22:18:39 UTC
Version: 19

Scope:
ID: o_ny0CM9QbrX
Name: boundary
Parent Scope ID: global
Type: org

Authorized Actions:
no-op
read
update
delete

Attributes:
email: devoxx@devoxx.fr
full_name: devoxx fake name
issuer: https://keycloak3.devoxx.esecpocgcp.com/auth/realms/master
subject: 3b496e3c-f5c1-49e8-9fef-13cf2d4abd97
token_claims:
{
“acr”: “0”,
“at_hash”: “Ta_SBwrS1ccn6A_jlxQzPQ”,
“aud”: “boundary”,
“auth_time”: 1649283300,
“azp”: “boundary”,
“email”: “test@test.fr”,
“email_verified”: true,
“exp”: 1649283577,
“family_name”: “fake name”,
“given_name”: “test”,
“iat”: 1649283516,
“iss”: “https://XXXX/auth/realms/master”,
“jti”: “1da4f1a6-c68xxx8df0-c6b9740b8f4c”,
“name”: “test fake name”,
“nonce”: “PQ2SsqBpOaww3hexRZ9v”,
“preferred_username”: “test”,
“session_state”: “894933e2-b4c1-5d9524612177”,
“sid”: “894933e2-b4c1-5d9524612177”,
“sub”: “3b496e3c-9fef-13cf2d4abd97”,
“typ”: “ID”
}
userinfo_claims:
{
“email”: “test@test.fr”,
“email_verified”: true,
“family_name”: “fake name”,
“given_name”: “test”,
“name”: “test fake name”,
“preferred_username”: “test”,
“sub”: “3b496e3c-f5c1-13cf2d4abd97”
}

How can i give automatically permission to my user connect through my Keycloak ?

Many thanks for your support

Regards

omkensey · April 6, 2022, 1:30am

Should it be /token/resource_access/boundary/roles instead of /token/resource_access/boundary.roles?

tony.jarriault · April 6, 2022, 6:59am

i modify my filter even, I didn’t see any projects

tony.jarriault · April 6, 2022, 10:26pm

I found my issue, it was on the filter.
I’m sorry to have disturbed you

NegativeFeedback · April 7, 2022, 3:31am

I got this working with the group below.
escaping quotes was a gotcha along with in keycloak on the client area you can check the token capabilities and make sure groups/dev-boundary-admin-role comes through

resource "boundary_managed_group" "keycloak_boundary_admin" {
  name          = "Infra Super Admin"
  description   = "A role"
  auth_method_id = boundary_auth_method_oidc.keycloak.id
  filter = "\"dev-boundary-admin-role\" in \"/token/groups\""

omkensey · April 7, 2022, 5:08pm

One trick that helps with troubleshooting managed group filters is if you log in to Boundary as the OIDC user you’re trying to set up a filter for, then read their account with a Boundary admin user, you’ll see the claim document that Boundary is getting for them. So for example I have an environment set up with an Azure AD OIDC auth method and I can read user claims like so:

$ boundary users list
[...]
  ID:                    u_Ip3o3P3cZQ
    Version:             1
    Primary Account ID:  acctoidc_Qu4KIJEQGo
    Login Name:          eh9eSqNlmvr3yWD3EHvGuU7N3qXxT_FFSRKkNIgeftY
    Full Name:           Boundary demo admin user joe.admin
    Authorized Actions:
      no-op
      read
      update
      delete
      add-accounts
      set-accounts
      remove-accounts
[...]
$ boundary accounts read -id acctoidc_Qu4KIJEQGo

Account information:
  Auth Method ID:      amoidc_8Dkv7aFSPe
  Created Time:        Fri, 01 Apr 2022 06:29:04 EDT
  ID:                  acctoidc_Qu4KIJEQGo
  Type:                oidc
  Updated Time:        Wed, 06 Apr 2022 19:53:32 EDT
  Version:             2

  Scope:
    ID:                global
    Name:              global
    Type:              global

  Managed Group IDs:
    mgoidc_iSMCqMF14m

  Authorized Actions:
    no-op
    read
    update
    delete

  Attributes:
    full_name:         Boundary demo admin user joe.admin
[...]
    token_claims:
    {
      [claims list]
    }
    userinfo_claims:
    {
      [claims list]
    }