FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Add groups claim to JWT token

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abhishek
      last edited by

      We are trying to use FusionAuth as the OIDC provider for our Kubernetes cluster. Kubernetes currently authorizes user based on either the username or a groupname associated to the user. (https://kubernetes.io/docs/reference/access-authn-authz/authentication/)

      We are creating FusionAuth groups to list all the users who have access to the cluster. However, I am not able to figure out how to make JWT token contain the list of groups which I can then ask Kubernetes to read using the flaf --oidc-groups-claim.

      I saw that the user object has the list of groups ids, however, I need the list of group names. And if I understand correctly from this issue (https://github.com/FusionAuth/fusionauth-issues/issues/267), we can't even fetch the name from the id using an api call. All other OIDC providers like Okta and Auth0 have the concept of groups claim.

      Is my understanding above correct or am I missing something? Would love to get past this, since otherwise we will have to give up on using FusionAuth for our Kubernetes cluster. And OIDC with Kubernetes is a pretty generic use case. One solution I could think of is to have roles on my end and then convert it to groups claim in the JWT lambda, but it sounds like a dirty hack.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @abhishek
        last edited by

        @abhishek

        You are correct, right now there is no way to get a group name in a JWT in a straightforward manner. This is an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/229 but this will most likely be resolved when https://github.com/FusionAuth/fusionauth-issues/issues/267 gets delivered (no firm timeline on that, sorry).

        Options:

        • you could put the group name in the user.data field and put it into the JWT using a JWT populate lamba. If you are moving users in and out of groups regularly, this could be scripted, but may be a bit of a maintenance issue.
        • assign users to a group in FusionAuth. Assign that group a role with the same name. Then you'll have access to the role in the populate JWT lambda. This seems the most straightforward to me. Note that a user only gets a role assigned to a group in FusionAuth if the user is registered for the application and is a member of a group with a role for that application.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post