Hey,
I have a working setup with auth0 and the following configuration:
# /etc/httpd/conf.d/15-foreman-ssl-oidc.conf
OIDCProviderMetadataURL https://<redacted>.auth0.com/.well-known/openid-configuration
OIDCClientID <redacted>
OIDCClientSecret <redacted>
OIDCRedirectURI https://<redacted>/users/extlogin/redirect_uri
OIDCCryptoPassphrase <redacted>
OIDCScope "openid email profile"
OIDCResponseType "id_token"
OIDCRemoteUserClaim nickname@
<Location /users/extlogin>
AuthType openid-connect
Require valid-user
LogLevel debug
RequestHeader set REMOTE_USER %{OIDC_CLAIM_nickname}e
RequestHeader set REMOTE_USER_EMAIL %{OIDC_CLAIM_email}e
RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC_CLAIM_given_name}e
RequestHeader set REMOTE_USER_LASTNAME %{OIDC_CLAIM_family_name}e
RequestHeader set REMOTE_USER_GROUPS %{OIDC_CLAIM_http---foreman_groups}e
</Location>
On Auth0 side, I have a standard application and one rule to manage custom groups (terraform version):
resource "auth0_client" "foreman" {
name = "Foreman"
description = "Foreman web UI/API"
app_type = "spa"
cross_origin_auth = false
is_first_party = true
custom_login_page_on = false
is_token_endpoint_ip_header_trusted = false
token_endpoint_auth_method = "client_secret_post"
oidc_conformant = true
callbacks = [
"https://<redacted>/users/extlogin/redirect_uri",
]
allowed_logout_urls = [
"https://<redacted>/users/users/extlogout",
]
grant_types = ["authorization_code", "implicit", "refresh_token"]
jwt_configuration {
lifetime_in_seconds = 36000
secret_encoded = false
alg = "RS256"
scopes = {}
}
}
resource "auth0_rule" "foreman" {
name = "Terraformed - Foreman"
script = file("./rules/foreman.js")
enabled = true
order = 123
}
// ./rules/foreman.js
/*global UnauthorizedError*/
// eslint-disable-next-line no-unused-vars
function foreman(user, context, callback) {
if (context.clientName === 'Foreman') {
const groupsAllowed = ['foreman_admin', 'foreman_users'];
if (!Object.prototype.hasOwnProperty.call(user, 'groups_custom')) {
user.groups_custom = [];
}
const userHasAccess = user.groups_custom.some((group) => groupsAllowed.includes(group));
if (!userHasAccess) {
console.log('Access denied.!');
return callback(new UnauthorizedError('Access denied.'));
}
const foremanGroups = user.groups_custom.filter((name) => name.startsWith('foreman_')).join(':');
context.idToken['http://foreman_groups'] = foremanGroups;
}
callback(null, user, context);
}
Note that I have no oidc settings on Foreman side, only authorize_login_delegation and the request headers added by apache:
# hammer setting list --search oidc
---------------|----------------|-------|---------------------------------------------------------------------------------
NAME | FULL NAME | VALUE | DESCRIPTION
---------------|----------------|-------|---------------------------------------------------------------------------------
oidc_jwks_url | OIDC JWKs URL | | OpenID Connect JSON Web Key Set(JWKS) URL. Typically https://keycloak.example...
oidc_audience | OIDC Audience | [] | Name of the OpenID Connect Audience that is being used for Authentication. In...
oidc_issuer | OIDC Issuer | | The iss (issuer) claim identifies the principal that issued the JWT, which ex...
oidc_algorithm | OIDC Algorithm | | The algorithm used to encode the JWT in the OpenID provider.
---------------|----------------|-------|---------------------------------------------------------------------------------
External users are correctly created and mapped to the correct foreman groups! 