Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Provider Filtering in Self-Hosted Kratos Instance #4135

Open
4 of 5 tasks
mapepro opened this issue Oct 2, 2024 · 0 comments
Open
4 of 5 tasks

OIDC Provider Filtering in Self-Hosted Kratos Instance #4135

mapepro opened this issue Oct 2, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@mapepro
Copy link

mapepro commented Oct 2, 2024

Preflight checklist

Ory Network Project

No response

Describe the bug

I know that organization is an Ory Network feature, but it seems feasible to work with in self-hosted mode.

As I have a large number of OIDC configurations, I'd like to filter them to avoid returning an excessive amount of data.

By examining the schemas, I can see that it's possible to pass configuration IDs in the OIDC configuration within the Kratos configuration file.

Then, I should be able to use these IDs with the 'organization' parameter of the /self-service/login/browserendpoint (which creates login flows for browsers). However, the nodes in the response contain all OIDC providers, not just the ones matching the specified ID

Reproducing the bug

Setup

In the self-hosted instance:

  1. Configure Kratos with two IDPs (Identity Providers).
  2. Add organization_id in selfservice.methods.oidc.config.provider.*.organization_id for both OIDC configurations.

Steps to Reproduce

  1. Call for the creation of the browser login flow with one organization id:
curl --request GET \
  --url '[http://localhost:4433/self-service/login/browser?organization=8cd99b5d-4ca5-46df-bf94-90f3835d2b69'](http://localhost:4433/self-service/login/browser?organization=8cd99b5d-4ca5-46df-bf94-90f3835d2b69%27)

Expected Result

ui.nodes should be an array with two items:

  1. Anti-CSRF token
  2. OIDC configuration (matching the provided organization id)

Actual Result

ui.nodes contains:

  • All OIDC providers
  • The anti-CSRF token

Additional Notes

This behavior suggests that the organization parameter in the login flow creation endpoint is not correctly filtering the OIDC providers based on the organization_id specified in the Kratos configuration.

Relevant log output

No response

Relevant configuration

[...]
selfservice:
  methods:
    oidc:
      config:
        providers:
        - organization_id: 8cd99b5d-4ca5-46df-bf94-90f3835d2b69 # RANDOM UUID
          auth_url:  [REDACTED]
          client_id:  [REDACTED]
          client_secret:  [REDACTED]
          id: simpleid
          issuer_url: [REDACTED]
          mapper_url: [REDACTED]
          provider: generic
          scope:
          - openid
          - email
          token_url: [REDACTED]
        - organization_id: 7ac74432-ccd1-4ae7-b51f-37ae5862d2b3 # RANDOM UUID
          auth_url: [REDACTED]
          client_id: [REDACTED]
          client_secret: [REDACTED]
          id: simpleid2
          issuer_url: [REDACTED]
          mapper_url: [REDACTED]
          provider: generic
          scope:
          - openid
          - email
          token_url: [REDACTED]
      enabled: true
[...]

Version

v1.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response
@mapepro mapepro added the bug Something is not working. label Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mapepro