Indirect Group Membership with Keycloak and oauth2-proxy

Asked Dec 03 '21 at 21:25

Active Dec 04 '21 at 01:53

Viewed 253 times

I'm using oauth2-proxy/oauth2-proxy with Keycloak-oidc provider for authentication for some pods in my Kubernetes cluster.

I can specify which groups are allowed to access a resource using the --allowed-group argument such as below

- --allowed-group="/vm-users/vm-editors/vm-admins"

Which restricts login to members of the vm-admins group.

But when I set it to /vm-users/vm-editors to login, I'm no longer allowed, as I have an indirect membership to vm-editors (It's set in FreeIPA, the user federation for keycloak, so that members of the vm-admins group are also members of the vm-editors group).

I've tried /vm-users/vm-editors, /vm-users/vm-editors*, /vm-users/vm-editors/*; none of which work.

Is there a way to handle implicit/indirect group membership in this instance?

edited Dec 04 '21 at 01:53

Paul

3,037
6
27
40

asked Dec 03 '21 at 21:25

cclloyd

did you ever get this working? I am facing the same issue – kaiffeetasse May 10 '23 at 11:06
1

@kaiffeetasse no, but I haven't looked into it in the past 12 months. Back then, I just switched to using Roles instead of groups and mapped the groups I needed to roles. – cclloyd May 10 '23 at 17:28

Indirect Group Membership with Keycloak and oauth2-proxy

0 Answers0