Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kinde Support #344

Open
andrefmarques opened this issue Jun 7, 2024 · 6 comments
Open

Kinde Support #344

andrefmarques opened this issue Jun 7, 2024 · 6 comments
Assignees
@greenpau
Labels
need triage question Further information is requested

Comments

@andrefmarques
Copy link

Hi!
I'm testing Kinde, and I've configured authcrunch and Kinde to successfully login.

However I'm facing 2 issues:

The first one is that the roles are only available on the access token. I've confirmed with their team that this is the case.
Is there any way to configure the service to read them from the access token instead of the id token?

The second is that custom fields are not appearing on the /whoami page.
The id token retrieved from logs:

{
  "at_hash": "redacted",
  "aud": [
    "redacted"
  ],
  "auth_time": 1717690054,
  "azp": "redacted",
  "email": "redacted",
  "exp": 1717693654,
  "family_name": "Doe",
  "given_name": "John",
  "iat": redacted,
  "iss": "https://redacted.kinde.com",
  "jti": "redacted",
  "name": "John Doe",
  "nonce": "redacted",
  "org_codes": [
    "org_11111111111"
  ],
  "organization_properties": {
    "kp_org_city": {},
    "testpropertyorg": {
      "v": "testpropertyorgval"
    }
  },
  "organizations": [
    {
      "id": "org_11111111111",
      "name": "OrgName"
    }
  ],
  "preferred_username": "john",
  "rat": 1717690054,
  "sub": "kp_22222222222222222222222222222221",
  "updated_at": 1717500946,
  "user_properties": {
    "kp_usr_city": {
      "v": "City"
    },
    "test4": {
      "v": "test4val"
    }
  }
}

The output in /whoami:

{
  "addr": "redacted",
  "authenticated": true,
  "email": "[email protected]",
  "exp": 1717682813,
  "expires_at_utc": "Thu Jun  6 14:06:53 UTC 2024",
  "family_name": "Doe",
  "given_name": "John",
  "iat": 1717681913,
  "iss": "https://subdomain.redacted.com/oauth2/kinde/",
  "issued_at_utc": "Thu Jun  6 13:51:53 UTC 2024",
  "jti": "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii",
  "name": "John Doe",
  "nbf": 1717681853,
  "not_before_utc": "Thu Jun  6 13:50:53 UTC 2024",
  "origin": "kinde",
  "realm": "kinde",
  "roles": [
    "authp/guestkinde",
    "authp/guest"
  ],
  "sub": "kp_22222222222222222222222222222221",
  "userinfo": {
    "email": "[email protected]",
    "family_name": "Doe",
    "given_name": "John",
    "id": "kp_22222222222222222222222222222221",
    "name": "John Doe",
    "phone": null,
    "picture": null,
    "preferred_username": "john",
    "sub": "kp_22222222222222222222222222222221",
    "updated_at": 1717500946
  }
}

I was expecting to see the fields org_codes, organization_properties, organizations and user_properties since I'm using extract all from userinfo in the Caddyfile:

{
	debug
	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider kinde {
			realm kinde
			driver generic
			client_id {env.GENERIC_CLIENT_ID}
			client_secret {env.GENERIC_CLIENT_SECRET}
			scopes openid email profile address offline phone
			base_auth_url https://subdomain.redacted.com
			metadata_url https://redacted.kinde.com/.well-known/openid-configuration
			extract all from userinfo
		}

		authentication portal partners {
			crypto key sign-verify {env.SHARED_KEY}
			enable identity provider kinde
			cookie domain subdomain.redacted.com
			ui {
				links {
					[...]
				}
			}

			transform user {
				match realm kinde
				action add role authp/guestkinde
				ui link "kinde" /whoami icon "las la-star"
			}
		}

		authorization policy partners {
			allow roles any
			crypto key verify {env.SHARED_KEY}
			validate bearer header
			inject headers with claims

		}
	}
}

:8080 {

[...]
}

I'm using ghcr.io/authcrunch/authcrunch:v1.0.11. Let me know if I can provide more information.
Thank you!
@andrefmarques andrefmarques added need triage question Further information is requested labels Jun 7, 2024
@greenpau
Copy link
Owner

greenpau commented Jun 7, 2024

@andrefmarques , please confirm that the login flow works.

have you tried “nested” injections? https://docs.authcrunch.com/docs/authorize/headers#nested-data-source

@andrefmarques
Copy link
Author

Yes, I can login and access the links configured.
I haven't tried nested injections since the fields are not appearing in whoami's userinfo

@greenpau
Copy link
Owner

greenpau commented Jun 7, 2024

I haven't tried nested injections since the fields are not appearing in whoami's userinfo

@andrefmarques , please try configuring the following and see whether it propagates.

inject header "X-Org-Prop-A" from "organization_properties|testpropertyorg|v"

@andrefmarques
Copy link
Author

I've tried with

authorization policy partners {
			allow roles any
			crypto key verify {env.SHARED_KEY}
			validate bearer header
			inject headers with claims
			inject header "X-Org-Prop-A" from "organization_properties|testpropertyorg|v"
		}

And it's not propagating

@greenpau
Copy link
Owner

greenpau commented Jun 7, 2024

@andrefmarques , I suggest you somehow bring these props to userinfo field. Otherwise, it will not work out of the box.

@andrefmarques
Copy link
Author

Any tips to find out why fields such as org_codes are not appearing in userinfo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
need triage question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @andrefmarques