Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapping from claim to claim_name bug using Keycloak #4709

Open
hillout opened this issue Apr 24, 2024 · 3 comments
Open

Mapping from claim to claim_name bug using Keycloak #4709

hillout opened this issue Apr 24, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@hillout
Copy link

hillout commented Apr 24, 2024

Hi, it's obvious that there is a bug with the mapping from claims in ID Token to name in boundary claim. Here is my setup and configurations - I'm using boundary 0.15.4, as for OIDC provider I have Keycloak 23.0.7. My goal is to have users from Keycloak in the Org realm of boundary mapped with not a random ID which Boundary generates after user logs in using OIDC, but with readable (and usable afterwards) username taken from ID Token.

I'm not using terraform yet, so, I'm just using admin UI console, here is a fraction of OIDC setup which shows my mappings:

Screenshot from 2024-04-24 16-56-26

I want to map the claim preferred_username to the sub in boundary, as well as given_name to name claim.
Here is my test user in Keycloak, and data which comes back with ID Token:
Screenshot from 2024-04-24 16-59-07

Claims in ID Token:
Screenshot from 2024-04-24 17-00-30

So, once I log into Boundary using Keycloak (which of course is set as Primary for user autocreation), I get a user in Boundary without a name but ID:
Screenshot from 2024-04-24 17-04-03

And if I check Accounts section in Auth Methods -> Keycloak ->
Screenshot from 2024-04-24 17-05-08

And more importantly once I'm checking the Account details of OIDC user I see this:
Screenshot from 2024-04-24 17-06-46

From here we can see that mapping from preferred_username to subject has worked correctly, whereas mapping of given_name to name has worked incorrectly - we see that given name has settled to Full Name boundary claim, but had to be in the Name section.
@hillout hillout added the bug Something isn't working label Apr 24, 2024
@irenarindos
Copy link
Collaborator

Hi @hillout , thanks for pointing this out; in Boundary every resource has a name and description field, which are manually populated for identification purposes. The OIDC field is being mapped correctly, but this is something we canimprove in the UI/ documentation to make this more clear.

@hillout
Copy link
Author

hillout commented Apr 27, 2024

@irenarindos hi, thanks for your reply. My goal was to use that user "name" as a vault credential library parameter template - {{.User.Name}}, so a user from OIDC will map to vault's ssh entity. But instead I'm using {{.Account.Subject}} as a workaround.

@hillout
Copy link
Author

hillout commented Apr 27, 2024

@irenarindos and btw this scenario spreads to the situation where you can't see the name of user (oidc) you've been log into with using Boundary Desktop version, cuz it leans onto the user "Name" parameter, and since it isn't mapped the blank name show in the UI:
Screenshot from 2024-04-27 12-07-08

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@irenarindos @hillout