Role as claims in id token

blackjid · December 3, 2020, 6:09pm

Hi!, I was looking into keycloak when I stumble upon the ory ecosystem. I have read the docs but I’m still a little lost if my use case is a good fit for any or more ory projects.

I’m using envoy as a reverse proxy for my apps where I can use oidc to protect my endpoints and pass the id token as an authorization token.

I’m looking to:

login with my google account
be able to add custom roles and groups to the identities. Add those roles as claims in the idtoken so I can manage access in my apps after validating the token

That way I can validate the token in the apps and assign permission based on identity and role claims.

Is this a use case covered??

I can see that I don’t need oathkeeper since I already have envoy as a proxy.
I can use hydra as a oidc server in the proxy using google as the identidy provider.
Not sure if I can customize roles per user… In hydra? kratos?

hackerman · December 5, 2020, 10:01am

@blackjid hey, thank you for the question. Do you want to log in only with your Google Account? Or do you want to enrich the profile also, or maybe log in with a password as well?

emanmks · December 8, 2020, 8:07am

To login with a google account you’re gonna need this configuration in kratos.yml:

methods:
    password:
      enabled: true
    oidc:
      enabled: true
      config:
        providers:
          - id: google
            provider: google
            client_id: ...
            client_secret: ...
            mapper_url: file:///etc/config/kratos/oidc.google.jsonnet
            scope:
              - email
              - profile
              - openid

and prepare the oidc config for google, with the following content:

local claims = {
  email_verified: false
} + std.extVar('claims');

{
  identity: {
    traits: {
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
    },
  },
}

I assume you already know how to get that client id and client secret.

For the 2nd question, I will suggest using oathkeeper which has the ability to mutate (using the hydrator handler) the claims of the token so your upstream services can utilize them for further processes.

If you go this way, your upstream service will retrieve the JSON Web Keys provided by oathkeeper in order to validate the mutated token. Remember this is not the only way. There are many possible setups for your case IMO.
.

blackjid · December 8, 2020, 4:34pm

I want to log in only with google account and enrich the profile with some extra claims. Something like

{
...
"claims": [
    "roles": ["admin", "user"]
  ]
}

blackjid · December 8, 2020, 4:40pm

Thanks… I’ll play around a bit more…

For the 2nd question, I will suggest using oathkeeper which has the ability to mutate (using the hydrator handler) the claims of the token so your upstream services can utilize them for further processes.

Can you think of another way to do this without having to add oathkeeper to the system? I already have a proxy in place… It would be nice if kratos itself could mutate the idtoken to add some custom claims depending on the user…