Hello
I am having hard times to configure the OIDC authentication method associated with a managed group. I am creating a demo
organization belonging to the global
scope and a dummy
project belonging to the demo
organization scope. I have also created according roles, set grants for these roles and add user principal to them.
However, when authenticating successfully through openid I am facing a 403 unauthorized status code.
I will try to describe the setup below to provide as much as information as possible.
$ boundary scopes list -recursive
Scope information:
ID: o_ecsPgdYOZI
Scope ID: global
Version: 1
Name: demo-org
Authorized Actions:
no-op
read
update
delete
ID: o_tO2HOvW5CG
Scope ID: global
Version: 1
Name: Generated org scope
Description: Provides an initial org scope in Boundary
Authorized Actions:
no-op
read
update
delete
ID: p_8ei8Y3PVSr
Scope ID: o_ecsPgdYOZI
Version: 1
Name: dummy-project
Authorized Actions:
no-op
read
update
delete
ID: p_oDL2yLsZJ2
Scope ID: o_tO2HOvW5CG
Version: 1
Name: Generated project scope
Description: Provides an initial project scope in Boundary
Authorized Actions:
no-op
$ boundary roles list -recursive
Role information:
ID: r_30Cjk7bUBV
Scope ID: global
Version: 3
Name: Login and Default Grants
Description: Role created for login capability, account self-management, and other default
grants for users of the global scope at its creation time
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_o3P9pMfzce
Scope ID: global
Version: 3
Name: Administration
Description: Provides admin grants within the "global" scope to the initial user
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_JxO1v4CFtT
Scope ID: global
Version: 3
Name: global-admin-role
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_LOxyV1gRvj
Scope ID: global
Version: 3
Name: demo-admin-role
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_XhVlJWdN4f
Scope ID: o_ecsPgdYOZI
Version: 3
Name: dummy-project-admin-role
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_VNFkjSki8D
Scope ID: o_ecsPgdYOZI
Version: 3
Name: DEMO-SRE-role
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
$ boundary auth-methods list -recursive
Auth Method information:
ID: amoidc_PvwKS2Mv4C
Scope ID: global
Version: 2
Type: oidc
Name: oidc
Is Primary For Scope: true
Authorized Actions:
no-op
read
update
delete
change-state
authenticate
ID: ampw_cYw7FqadzK
Scope ID: global
Version: 1
Type: password
Name: Generated global scope initial password auth method
Description: Provides initial administrative and unprivileged authentication into Boundary
Authorized Actions:
no-op
read
update
delete
authenticate
ID: ampw_4wGky7xcaV
Scope ID: global
Version: 1
Type: password
Name: global: admin userpass
Description: global: admin auth method
Authorized Actions:
no-op
read
update
delete
authenticate
The first I am misunderstanding is why when logging through the UI, I can only see the
Global
scope when looking into the Choose a different scope
menu.
I am certainly missing something here but this drove me to set the OIDC auth method as primary auth method at the global scope (where my first intent was to set it at the demo org scope only but as I couldn’t select the demo scope on the UI I had to adapt my setup).
Below the managed group I created:
$ boundary managed-groups list -auth-method-id amoidc_PvwKS2Mv4C
Managed Group information:
ID: mgoidc_0yt2Urt628
Version: 1
Type: oidc
Name: FUNCTION-SRE
Description: Managed group for SREs
Authorized Actions:
no-op
read
update
delete
Another thing that bothers me is the list of actions granted to this managed group, I cannot see
list
and dunno why.
This managed group has been set as principal to my DEMO-SRE-role
.
$ boundary roles read -id r_VNFkjSki8D
Role information:
Created Time: Wed, 27 Sep 2023 11:42:52 CEST
Grant Scope ID: p_8ei8Y3PVSr
ID: r_VNFkjSki8D
Name: DEMO-SRE-role
Updated Time: Wed, 27 Sep 2023 11:42:53 CEST
Version: 3
Scope:
ID: o_ecsPgdYOZI
Name: demo-org
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
Principals:
ID: mgoidc_0yt2Urt628
Type: managed group
Scope ID: global
Canonical Grants:
ids=*;type=auth-method;actions=authenticate
ids=*;type=credential-store;actions=create,delete:self,list,read:self
ids=*;type=credential;actions=create,delete:self,list,read:self
ids=*;type=host-catalog;actions=create,delete:self,list,read:self
ids=*;type=host-set;actions=create,delete:self,list,read:self
ids=*;type=host;actions=create,delete:self,list,read:self
ids=*;type=scope;actions=list,no-op,read
ids=*;type=session;actions=create,delete:self,list,read:self
ids=*;type=target;actions=create,delete:self,list,read:self
Unfortunately when I authenticate myself through openid, I cannot interact with my dummy-project
.
Below the logs extracted from the controller:
I can see that I am receiving a 403 from the api when trying to access /v1/scopes/global
.
I am bit lost here, any help would be greatly appreciated.
Thank you very much