concourse: OIDC with Okta doesn't get username or groups

Bug Report

I have followed the steps at: https://concourse-ci.org/generic-oidc-auth.html

I have created an app in Okta with the implicit flow and mapped all groups.

Steps to Reproduce

Following environment variables: export CONCOURSE_OIDC_DISPLAY_NAME=Okta export CONCOURSE_OIDC_CLIENT_ID=clientid export CONCOURSE_OIDC_CLIENT_SECRET=clientsecret export CONCOURSE_OIDC_ISSUER=https://issuer.issuer.com export CONCOURSE_MAIN_TEAM_OIDC_GROUP=dev-concourse export CONCOURSE_OIDC_GROUPS_KEY=‘groups’ export CONCOURSE_OIDC_SCOPE=‘openid groups’

Expected Results

Username and groups to be passed to concourse to allow user to join the main team

Actual Results

HTTP 401 returned to clients, following in logs:

{"timestamp":"2019-03-12T17:03:17.480427687Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"oidc\", username=\"\", email=\" foo@bar.com (unverified)\", groups=[]","session":"6"}}
{"timestamp":"2019-03-12T17:03:17.532387726Z","level":"error","source":"atc","message":"atc.sky.callback.failed-to-issue-concourse-token","data":{"error":"user doesn't belong to any team","session":"5.40"}}

Version Info

  • Concourse version: 5.0.0
  • Deployment type (BOSH/Docker/binary): binary
  • Infrastructure/IaaS: debian
  • Browser (if applicable): N/A
  • Did this used to work? N/A

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 7
  • Comments: 21 (4 by maintainers)

Most upvoted comments

I also really would like this to be reopened. We’ve been wanting to use Okta. Some plans in Okta only allow openId Connect so we can’t use oauth2.

+2
samgurtman-zz on Aug 12, 2020

This is an issue I’m running into now. Okta OIDC & OAUTH were both set up for this and neither pick up the group claims.

Concourse 6.1.0 Installed with Helm

Screen Shot 2020-08-05 at 5 32 05 PM Screen Shot 2020-08-05 at 5 33 34 PM Screen Shot 2020-08-05 at 5 35 28 PM

I’m able to log in, but not in the main group which my user is a part of (created in Okta, and enabled in screenshot #1)

No matter what the set up, groups comes back empty in the logs:

[ec2-user@ip-10-13-1-211 ~]$ docker logs 18c12ffab476 | grep dex {"timestamp":"2020-08-05T19:59:03.840703634Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"oauth\", username=\"\", email=\"My_Name@BlahBlahBlah.com\", groups=[]","session":"14"}} {"timestamp":"2020-08-05T21:38:30.557195483Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"oidc\", username=\"My_Name@BlahBlahBlah.com\", email=\"My_Name@BlahBlahBlah.com (unverified)\", groups=[]","session":"14"}}

This really needs to be re-opened. Okta OIDC & OAUTH are major ID providers to not be working with this application.

🙏🏽🙏🏽🙏🏽

+2
mlopez-eb on Aug 5, 2020

In the web flags:

–oidc-display-name “Corp OKTA” \ –oidc-scope “openid profile email phone address groups” \ –oidc-issuer “https://corp.okta-something.com/oauth2/default” \ –oidc-client-id “zzzzzzzz” \ –oidc-client-secret “evenmorezzzzz” \ –oidc-user-name-key “email” \ –main-team-oidc-group “concourse-main” \ –oidc-groups-key “groups”

And in OKTA enable the group claims setting.

+2
gbvanrenswoude on Nov 20, 2019

@samgurtman-zz @mlopez-eb I have opened a PR to fix this https://github.com/concourse/concourse/pull/8353

+1
danpilch on May 17, 2022
Read more comments on GitHub
← concourse: No Workers error happening a lot
concourse: Old workers stay in `stalled` state indefinitely after restart →