Openshift console OIDC auth with Okta - User Mapping

Questions OAuth/OIDC
1

When configuring Openshift console with OIDC authentication, the user is successfully authenticated by Okta and redirected to Openshift console. After successful authentication the user is added automatically under User Management > Users (in Openshift console).
The trouble now is: user’s name is mapped with app.clientId.
I want user’s name (in Openshift) to be the user’s email used for login to Okta.

This is my Okta configuration:

#Claims for default Authorization Server:
Name: sub (appuser != null) ? appuser.userName : app.clientId (default)
Name: preferred_username (appuser != null) ? appuser.userName : user.email (added)
Name: email (appuser != null) ? appuser.userName : user.email (added)

#User Profile Mappings for Openshift application:
Okta User Profile : Openshift application User Profile
user.email : userName
user.email : email

#Users assigned to Openshift application have both User Name and Email filled with email address.

This is my Openshift configuration:

#Openshift Custom Resource:

  • mappingMethod: claim
    name: openshift
    openID:
    claims:
    email:
    - email
    preferredUsername:
    - email

Cannot understand why the User in Openshift is mapped with the claim sub.

2

From the documentation Authorization servers | Okta Developer

You can’t customize this authorization server with regards to audience, claims, policies, or scopes.

Have you tried creating custom authZ server and use it for the same?

3

Thanks for reply, i’m quite new in Okta configuration, could you please suggest how to fill Audience property for the new Authz server? The guide states: " The Audience property should be set to the URI for the OAuth 2.0 resource server that consumes the access token."
regards

4

Audience field can be whatever you want, when you set things up on Okta side for a new authZ server

5

These are my authorization servers now:

immagine
immagine702×168 20.5 KB

Claims for the custom authorization server:

immagine
immagine714×178 21.6 KB

But still having opeshift user with ID as username:

immagine
immagine796×220 20.4 KB

immagine

UPDATE:
customizing an Authorization Server then added a custom claim (login) as below:

immagine
immagine701×290 28.2 KB

then i made a request to https://myOktadomain.okta.com/oauth2/default/v1/userinfo with a valid access_token via postman and this is the result of the request:
immagine

i changed openshift configuration like this:
immagine

but still having same problem

6

I’m sorry, not familiar with Openshift, maybe what you see there is hardcoded and can’t be altered?

7

From openshift doc:
Claims are read from the JWT id_token returned from the OpenID identity provider and, if specified, from the JSON returned by the UserInfo URL.

At least one claim must be configured to use as the user’s identity. The standard identity claim is sub .

You can also indicate which claims to use as the user’s preferred user name, display name, and email address. If multiple claims are specified, the first one with a non-empty value is used.perché

My understanding is all i need is in place, do you agree?

8

@marco I think I might know what the issue is. If you login to your openshift cluster and run oc get users and oc get identities you will see mapping for the OIDC app you created in okta. OpenShift will not respect the claim as long as that user exists. Do an oc delete on that auto-generated user/identity then try logging in again via okta. Good chance it will now use the claim you set up in Okta. If that doesn’t work, I’d change the claim’s type from Access to ID Token (Always)