OIDC username storage and mapping to login username

teleport
#1

Hi I’m trying to use an OIDC connector to manage users connecting to teleport. I’ve worked through configuring the connector and after some false starts have it connecting and creating a user inside teleport.

The user it creates has an email username someuser@example.com and there is a username of ‘someuser’ in traits of the user record. However when I try to login to a server it send the email as the username and naturally fails. The role I’m using has ‘{{external.username}}’ as the allowed logins so I’d have expected it to use ‘someuser’ not ‘someuser@example.com’

kind: role
metadata:
id: 1564159390179270517
name: somerole
spec:
allow:
logins:
- ‘{{external.username}}’

I’ve looked through the code and it does seem that using the email as the ‘username’ is intentional https://github.com/gravitational/teleport/blob/master/lib/auth/oidc.go#L400.

What should I do here to select the correct trait and avoid it sending the email in an ssh request. Is there some other logins templating I can use in my role?

thanks!

Steve

#2

I looked into this issue. When I tried, it looks like actually a value for username does get passed through and should be usable.

I set these two custom values for username and login up on Auth0 and then logged into my test cluster, these are the claims:

DEBU [AUTH]      OIDC claims: map[app_metadata:map[login:webvictim roles:[gravitational/admins gravitational/devc gravitational/wikireaders] username:webvictim] aud:V0vOv0093JCBlGctSWA7vELnV0ufTazN awsRole:arn:aws:iam::126027368216:role/auth0-admin,arn:aws:iam::126027368216:saml-provider/auth0 awsRoleSession:gus clientID:V0vOv0093JCBlGctSWA7vELnV0ufTazN created_at:2019-02-14T16:21:19.875Z email:gus@gravitational.com email_verified:true exp:1.564723786e+09 family_name:Luxton given_name:Gus iat:1.564687786e+09 identities:[map[connection:google-oauth2 isSocial:true provider:google-oauth2 user_id:102645889361203966163]] iss:https://gravitational.auth0.com/ locale:en login:webvictim name:Gus Luxton nickname:gus picture:https://lh6.googleusercontent.com/-cEVzNGlb4lY/AAAAAAAAAAI/AAAAAAAAAAg/uxllcFwFjVk/photo.jpg roles:[gravitational/admins gravitational/devc gravitational/wikireaders] sub:google-oauth2|102645889361203966163 updated_at:2019-08-01T19:29:45.397Z user_id:google-oauth2|102645889361203966163 user_metadata:map[] username:webvictim]. auth/oidc.go:200

This is my role:

root@gus-main-auth-0:/# tctl get role/clusteradmin
kind: role
metadata:
  id: 1564677466543247436
  name: clusteradmin
spec:
  allow:
    kubernetes_groups:
    - system:masters
    logins:
    - root
    - '{{external.username}}'
    node_labels:
      '*': '*'
    rules:
    - resources:
      - '*'
      verbs:
      - '*'
  deny:
    logins: null
  options:
    cert_format: standard
    forward_agent: true
    max_session_ttl: 12h0m0s
    port_forwarding: true
version: v3

This is what i get from tsh login when i login with Auth0:

$ tsh login --proxy=gus-main.gravitational.co
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:34055/6797e5df-cac0-4fa9-8ce6-267f494a149b
> Profile URL:  https://gus-main.gravitational.co:3080
  Logged in as: gus@gravitational.com
  Cluster:      gus-main.gravitational.co
  Roles:        clusteradmin*
  Logins:       root, webvictim
  Valid until:  2019-08-02 04:29:46 -0300 ADT [valid for 12h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

The logins value is populated correctly as I’d expect.

What SSO provider are you using here?

#3

thanks for the reply Gus, I’m using AWS cognito here for a POC.

if do a tsh status i see

Profile URL: http s://somehost:3080
Logged in as: somedev@domain.com
Cluster: somecluster
Roles: dev*
Logins: somedev
Valid until: 2019-07-27 09:34:55 +0100 IST [EXPIRED]
Extensions: permit-port-forwarding, permit-pty

  • RBAC is only available in Teleport Enterprise

i see ‘somedev’ there like you see root, webvictim so I’d have expected it to use ‘somedev’ to login the host

in the logs i see
OIDC claims: map[at_hash:KtwwHq3WpsWxh2Q560fA aud:7mplejnte8e5rs3j823d auth_time:1.564173294e+09 cognito:groups:[dev] cognito:username:somedev email:somedev@somedomain.com email_verified:true exp:1.xxx4e+09 iat:1.564173xxx09 iss:http s://cognito-idp.us-east-1.amazonaws.com/us-east-1xxxxxF3 sub:e96d0332-83a1-431c-bd87-esssss token_use:id username:somedev]

(spaces in links are intentional here so I can post)

#4

That all looks fine to me. What happens when you log into the cluster and then tsh ssh somedev@somehost?

(tsh uses your local username on the client where you’re running it by default, so if that isn’t somedev then you need to explicitly specify the username - either with tsh ssh somedev@somehost or tsh ssh -l somedev somehost)