Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oidc: add verbose logging that displays claim token details #97468

Closed
dhartunian opened this issue Feb 22, 2023 · 0 comments
Closed

oidc: add verbose logging that displays claim token details #97468

dhartunian opened this issue Feb 22, 2023 · 0 comments
Assignees
Labels
A-observability-inf C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)

Comments

@dhartunian
Copy link
Collaborator

dhartunian commented Feb 22, 2023

Currently it is not possible to easily debug OIDC tokens in CRDB when attempting to configure SSO for DB Console.
There are two cluster settings that allow for extracting and matching a specific field in the claim token in order to match a SQL user for login.

An operator should be able to inspect the claim token fields via log messages in order to help them decide what cluster settings to use.

Jira issue: CRDB-24718

@dhartunian dhartunian added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-observability-inf labels Feb 22, 2023
cameronnunez added a commit to cameronnunez/cockroach that referenced this issue Mar 13, 2023
Previously, matching on ID token claims was not possible if the claim key
specified was the "groups" claim because the claim value is a list, not a
string. With this change, matching can now occur on this claim in order
to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: cockroachdb#97301, cockroachdb#97468

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.
cameronnunez added a commit to cameronnunez/cockroach that referenced this issue Mar 14, 2023
Previously, matching on ID token claims was not possible if the claim key
specified had a corresponding value that was a list, not a
string. With this change, matching can now occur on claims that are list valued
in order to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: cockroachdb#97301, cockroachdb#97468

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.
cameronnunez added a commit to cameronnunez/cockroach that referenced this issue Mar 14, 2023
Previously, matching on ID token claims was not possible if the claim key
specified had a corresponding value that was a list, not a
string. With this change, matching can now occur on claims that are list valued
in order to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: cockroachdb#97301, cockroachdb#97468

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.
cameronnunez added a commit to cameronnunez/cockroach that referenced this issue Mar 15, 2023
Previously, matching on ID token claims was not possible if the claim key
specified had a corresponding value that was a list, not a
string. With this change, matching can now occur on claims that are list valued
in order to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: cockroachdb#97301, cockroachdb#97468

Release note (enterprise change): The cluster setting
`server.oidc_authentication.claim_json_key` for DB Console SSO
now accepts list-valued token claims.

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.
cameronnunez added a commit to cameronnunez/cockroach that referenced this issue Mar 16, 2023
Previously, matching on ID token claims was not possible if the claim key
specified had a corresponding value that was a list, not a
string. With this change, matching can now occur on claims that are list valued
in order to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: cockroachdb#97301, cockroachdb#97468

Release note (enterprise change): The cluster setting
`server.oidc_authentication.claim_json_key` for DB Console SSO
now accepts list-valued token claims.

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.
craig bot pushed a commit that referenced this issue Mar 18, 2023
98522: ccl/oidcccl: support principal matching on list claims r=dhartunian a=cameronnunez

Previously, matching on ID token claims was not possible if the claim key
specified had a corresponding value that was a list, not a
string. With this change, matching can now occur on claims that are list valued
in order to add login capabilities to DB Console. It is important to note that
this change does NOT offer the user the ability to choose between possible
matches; it simply selects the first match to log the user in.

This change also adds more verbose logging about ID token details.

Epic: none
Fixes: #97301, #97468

Release note (enterprise change): The cluster setting
`server.oidc_authentication.claim_json_key` for DB Console SSO
now accepts list-valued token claims.

Release note (general change): Increasing the logging verbosity
is more helpful with troubleshooting DB Console SSO issues.

98739: sql: simplify V23_1ExternalConnectionsTableHasOwnerIDColumn gating r=adityamaru a=andyyang890

Informs #87079

Release note: None

98892: kvcoord: Use correct timestamp when restarting range r=miretskiy a=miretskiy

Recent changes to rangefeed library (#97957) introduced a silly bug (incorrect code completion/copy paste).

Use correct timestamp when resuming range feed.

Issue: None
Epic: None
Release note: None

Co-authored-by: Cameron Nunez <[email protected]>
Co-authored-by: Andy Yang <[email protected]>
Co-authored-by: Yevgeniy Miretskiy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-observability-inf C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Projects
None yet
Development

No branches or pull requests

2 participants