OIDC configuration and managed group

Boundary
1

Hello :wave:

I am having hard times to configure the OIDC authentication method associated with a managed group. I am creating a demo organization belonging to the global scope and a dummy project belonging to the demo organization scope. I have also created according roles, set grants for these roles and add user principal to them.
However, when authenticating successfully through openid I am facing a 403 unauthorized status code.

I will try to describe the setup below to provide as much as information as possible.

$ boundary scopes list -recursive

Scope information:
  ID:                    o_ecsPgdYOZI
    Scope ID:            global
    Version:             1
    Name:                demo-org
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    o_tO2HOvW5CG
    Scope ID:            global
    Version:             1
    Name:                Generated org scope
    Description:         Provides an initial org scope in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    p_8ei8Y3PVSr
    Scope ID:            o_ecsPgdYOZI
    Version:             1
    Name:                dummy-project
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    p_oDL2yLsZJ2
    Scope ID:            o_tO2HOvW5CG
    Version:             1
    Name:                Generated project scope
    Description:         Provides an initial project scope in Boundary
    Authorized Actions:
      no-op

$ boundary roles list -recursive
Role information:
  ID:                    r_30Cjk7bUBV
    Scope ID:            global
    Version:             3
    Name:                Login and Default Grants
    Description:         Role created for login capability, account self-management, and other default
    grants for users of the global scope at its creation time
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_o3P9pMfzce
    Scope ID:            global
    Version:             3
    Name:                Administration
    Description:         Provides admin grants within the "global" scope to the initial user
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_JxO1v4CFtT
    Scope ID:            global
    Version:             3
    Name:                global-admin-role
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_LOxyV1gRvj
    Scope ID:            global
    Version:             3
    Name:                demo-admin-role
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_XhVlJWdN4f
    Scope ID:            o_ecsPgdYOZI
    Version:             3
    Name:                dummy-project-admin-role
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_VNFkjSki8D
    Scope ID:            o_ecsPgdYOZI
    Version:             3
    Name:                DEMO-SRE-role
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

$ boundary auth-methods list -recursive

Auth Method information:
  ID:                     amoidc_PvwKS2Mv4C
    Scope ID:             global
    Version:              2
    Type:                 oidc
    Name:                 oidc
    Is Primary For Scope: true
    Authorized Actions:
      no-op
      read
      update
      delete
      change-state
      authenticate

  ID:                     ampw_cYw7FqadzK
    Scope ID:             global
    Version:              1
    Type:                 password
    Name:                 Generated global scope initial password auth method
    Description:          Provides initial administrative and unprivileged authentication into Boundary
    Authorized Actions:
      no-op
      read
      update
      delete
      authenticate

  ID:                     ampw_4wGky7xcaV
    Scope ID:             global
    Version:              1
    Type:                 password
    Name:                 global: admin userpass
    Description:          global: admin auth method
    Authorized Actions:
      no-op
      read
      update
      delete
      authenticate

:warning: The first I am misunderstanding is why when logging through the UI, I can only see the Global scope when looking into the Choose a different scope menu.

Screenshot 2023-09-27 at 11.46.57
Screenshot 2023-09-27 at 11.46.571332Ă—1310 41.6 KB

I am certainly missing something here but this drove me to set the OIDC auth method as primary auth method at the global scope (where my first intent was to set it at the demo org scope only but as I couldn’t select the demo scope on the UI I had to adapt my setup).

Below the managed group I created:

$ boundary managed-groups list -auth-method-id amoidc_PvwKS2Mv4C

Managed Group information:
  ID:                    mgoidc_0yt2Urt628
    Version:             1
    Type:                oidc
    Name:                FUNCTION-SRE
    Description:         Managed group for SREs
    Authorized Actions:
      no-op
      read
      update
      delete

:warning: Another thing that bothers me is the list of actions granted to this managed group, I cannot see list and dunno why.

This managed group has been set as principal to my DEMO-SRE-role.

$ boundary roles read -id r_VNFkjSki8D

Role information:
  Created Time:        Wed, 27 Sep 2023 11:42:52 CEST
  Grant Scope ID:      p_8ei8Y3PVSr
  ID:                  r_VNFkjSki8D
  Name:                DEMO-SRE-role
  Updated Time:        Wed, 27 Sep 2023 11:42:53 CEST
  Version:             3

  Scope:
    ID:                o_ecsPgdYOZI
    Name:              demo-org
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             mgoidc_0yt2Urt628
      Type:         managed group
      Scope ID:     global

  Canonical Grants:
    ids=*;type=auth-method;actions=authenticate
    ids=*;type=credential-store;actions=create,delete:self,list,read:self
    ids=*;type=credential;actions=create,delete:self,list,read:self
    ids=*;type=host-catalog;actions=create,delete:self,list,read:self
    ids=*;type=host-set;actions=create,delete:self,list,read:self
    ids=*;type=host;actions=create,delete:self,list,read:self
    ids=*;type=scope;actions=list,no-op,read
    ids=*;type=session;actions=create,delete:self,list,read:self
    ids=*;type=target;actions=create,delete:self,list,read:self

Unfortunately when I authenticate myself through openid, I cannot interact with my dummy-project.

Screenshot 2023-09-27 at 11.55.05
Screenshot 2023-09-27 at 11.55.052748Ă—454 21.6 KB

Screenshot 2023-09-27 at 11.54.44
Screenshot 2023-09-27 at 11.54.443014Ă—618 47.1 KB

Below the logs extracted from the controller:

Screenshot 2023-09-27 at 11.55.52
Screenshot 2023-09-27 at 11.55.523012Ă—332 66.5 KB

I can see that I am receiving a 403 from the api when trying to access /v1/scopes/global.

I am bit lost here, any help would be greatly appreciated.

Thank you very much :slight_smile:

2

This is because all of your auth methods are at the global scope, so there is no other scope to show when authenticating.

Another thing that bothers me is the list of actions granted to this managed group, I cannot see list and dunno why.

List permissions are only relevant for collections (e.g. the managed group collection), not for specific items within those collections.

I can see that I am receiving a 403 from the api when trying to access /v1/scopes/global .

It looks like you don’t have permissions to view the global scope (e.g. read on it). Notice in your recursive scope listing that global doesn’t appear in it. I’m not sure what permissions you have in the various roles within the global scope.

3

What do you mean by Notice in your recursive scope listing that global doesn’t appear in it.

I can see that in the recursive scope list:

  ID:                    o_tO2HOvW5CG
    Scope ID:            global
    Version:             1
    Name:                Generated org scope
    Description:         Provides an initial org scope in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete

It is the global scope, isn’t it ?

When reading my DEMO-SRE-role I have the following:

$ boundary roles read -id r_VNFkjSki8D

Role information:
  Created Time:        Wed, 27 Sep 2023 11:42:52 CEST
  Grant Scope ID:      p_8ei8Y3PVSr
  ID:                  r_VNFkjSki8D
  Name:                DEMO-SRE-role
  Updated Time:        Wed, 27 Sep 2023 11:42:53 CEST
  Version:             3

  Scope:
    ID:                o_ecsPgdYOZI
    Name:              demo-org
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             mgoidc_0yt2Urt628
      Type:         managed group
      Scope ID:     global

  Canonical Grants:
    ids=*;type=auth-method;actions=authenticate
    ids=*;type=credential-store;actions=create,delete:self,list,read:self
    ids=*;type=credential;actions=create,delete:self,list,read:self
    ids=*;type=host-catalog;actions=create,delete:self,list,read:self
    ids=*;type=host-set;actions=create,delete:self,list,read:self
    ids=*;type=host;actions=create,delete:self,list,read:self
    ids=*;type=scope;actions=list,no-op,read
    ids=*;type=session;actions=create,delete:self,list,read:self
    ids=*;type=target;actions=create,delete:self,list,read:self

I’ve scoped this role to my demo org (o_ecsPgdYOZI) and granted also the scope of my dummy project (p_8ei8Y3PVSr). My managed group (mgoidc_0yt2Urt628) has been set as principal. This managed group (mgoidc_0yt2Urt628) has been created and configured to use the oidc auth method (amoidc_PvwKS2Mv4C). However this oidc auth method is tied to the global scope, is it what I am doing wrong ?
If not, you said that it looks like I am missing permissions to view the global scope (read on it). Can I set an additional grant to my DEMO-SRE-role to give it the read permission ? If yes how can I achieve that ? I tried adding ids=global;type=*;actions=list,read but it does not seem to work, I get an error saying "ids=global;type=*;actions=list,read" contains an id that does not support child types.

One last question: I tried to bind my OIDC auth method to the scope of my demo org instead of the global one but when I try to do that I am having another error:
scope.(Service).updateInRepo: unable to update project: iam.(Repository).UpdateScope: for public id o_ecsPgdYOZI: iam.(Repository).update: db.DoTx: iam.(Repository).update: db.Update: insert or update on table "iam_scope" violates foreign key constraint "auth_method_primary_auth_method_id_fkey": integrity violation: error #1003

Thank you very much for your help :slight_smile:

4

It isn’t – the o_ prefix indicates that it is an organization scope. Scopes are containers of other things – including other scopes (in a global → organization(s) → project(s) heirarchy). What you’re looking at there is an organization scope with ID o_tO2HOvW5CG contained in the scope with ID global.

These grants will take effect only in the scope in Grant Scope ID – so it’s not “also” but rather it will only affect the project scope.

No, you can use managed groups from other scopes as principals in a role in a different scope.

No, because role grants apply to the grant scope ID, so you can’t give grants in the global scope from a role in an org or project scope. You need a role in global scope that grants this permission.

I’m not sure what command you were running here but you can’t change scopes of an auth method after creation. That looks like an error that we need to make nicer instead of leaking database constraints through :slight_smile:

6

@jeff Thank you very much for your time, you pointed me out the good direction.

Best,