Unable to make use of oidc_user_claim in auth_provider

[avanier]

Hiya,

I'm attempting to connect Monocle to Okta via OIDC. I'm having trouble as it seems that whatever I set as an option for oidc_user_claim in a auth_provider block of config.yaml it seems to be ignored. I've looked at the token returned by Okta and the claims I'm trying to consume seem to be present, but Monocle appears to always default to sub which is the Okta client id for Monocle itself.

I was digging in the original PR for the implementation of JWT and the original suggestion for using the preferred_username claim by default does not seem to have been implemented. (I can't find any reference to these words in Monocle's codebase ... but it might also be an assumption coming from an upstream library. My Haskell-fu is terrible.)

When looking at what seems to be the relevant area of the code where this happens ... I have to admit I can barely understand what it means. (For context, I'm a lowly sysadmin with mediocre Ruby / Golang / Erlang skills. Haskell is super daunting. >_< )

Halp!

[TristanCacqueray]

Hello,

looking at the code, there are two cases where the provided oidc_user_claim is ignored:

• When it can't be found, or
• When the oidc response for 'other claim' is not an object.

In #1058 I proposed to add a warning with the details. Perhaps this should result in a failure? what do you think @morucci ?

[morucci]

Hi,

Yes, looking at the code when oidc_user_claim is set then the value from the idToken should be used. You identified the right function @avanier. As @TristanCacqueray suggested we need to see why the function ignores that and uses the default value. Adding debugging seems the good strategy here.

Once #1058 is merged, the CI might publish the container image for the master branch. Assuming you deploy via docker compose then you need to set in the .env -> COMPOSE_MONOCLE_VERSION=latest and then you should see the "Could not find oidc_user_claim" log along with the reason.

[avanier]

Thank you @TristanCacqueray. The logging confirmed my suspicions, none of the required claims are present in the token returned by Okta.

I'll mark this issue as closed for now and I'll see if I can coax Okta into putting the required claims in there but I have a nagging suspicion that the OIDC client (Monocle in this case) should specify which scopes are being requested to be present in the token for the claims to apprear.

I'll see if I can learn me some Haskell and submit a PR, but if I can't I'll open a more specific issue.

---

Semi-related: Yes, I'm deploying with Docker, but not docker-compose. We're a Kubernetes shop. I'll try and submit a PR for the Helm chart I've written.