RBAC Group Matching

[moserke]

We currently have argo setup for OIDC and one of the fields coming back is a list of groups, however OIDC provider sends the list as a string, so an array of groups becomes "[group1, group2, group3]". We want to be able to pattern match that a user has a substring in their subject such that if the user is in a group they get access. Is this possible to write a pattern match on the subject itself? An example hoped for working policy would look like:

policy.csv: |
      p, role:default, applications, *, */*, deny
      p, role:default, repositories, get, *, deny
      g, "*group2*", role:admin

However it does not look like matching is support on the subject itself? Is there some other way to accomplish this given that we can't change how the provider is sending the attribute in the claim?

[andrewhearin]

@moserke were you ever able to solve this? I'm in a similar situation. Our groups are returned as an array of the numerical group ID

[moserke]

Unfortunately not natively in Argo. Given that our OIDC provider is Cognito we were able to leverage a pre-token hook in cognito to call a lambda to "fix" the token. If you happen to be in the same situation and are using Cognito, the lambda code is very simple:

exports.handler = (event, context, callback) => {
  event.response = {
    "claimsOverrideDetails": {
      "groupOverrideDetails": {
        "groupsToOverride": event.request.userAttributes["custom:groups"].replace("[", "").replace("]", "").replace(/ /g, "").split(",")
      }
    }
  }
  callback(null, event)