Ask questionsOIDC with Okta doesn't get username or groups

Bug Report

I have followed the steps at:

I have created an app in Okta with the implicit flow and mapped all groups.

Steps to Reproduce

Following environment variables: export CONCOURSE_OIDC_DISPLAY_NAME=Okta export CONCOURSE_OIDC_CLIENT_ID=clientid export CONCOURSE_OIDC_CLIENT_SECRET=clientsecret export CONCOURSE_OIDC_ISSUER= export CONCOURSE_MAIN_TEAM_OIDC_GROUP=dev-concourse export CONCOURSE_OIDC_GROUPS_KEY='groups' export CONCOURSE_OIDC_SCOPE='openid groups'

Expected Results

Username and groups to be passed to concourse to allow user to join the main team

Actual Results

HTTP 401 returned to clients, following in logs:

{"timestamp":"2019-03-12T17:03:17.480427687Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"oidc\", username=\"\", email=\" (unverified)\", groups=[]","session":"6"}}
{"timestamp":"2019-03-12T17:03:17.532387726Z","level":"error","source":"atc","message":"","data":{"error":"user doesn't belong to any team","session":"5.40"}}

Version Info

  • Concourse version: 5.0.0
  • Deployment type (BOSH/Docker/binary): binary
  • Infrastructure/IaaS: debian
  • Browser (if applicable): N/A
  • Did this used to work? N/A

Answer questions MartinLeedotOrg

In okta you can specify a regex for which groups get passed through in the groups claim. I've specified .* (and verified that works in another application).

dev-concourse is a group I've set up for this test.

I can see that username might not be supported - looks like it falls back to sub? That's fine for me - less than ideal but works. Groups not working is a bigger problem though.

I can have okta only allow authentication for certain users, is there a combination of the configuration that would allow me to say "All users authenticating by OIDC should be in the main team"?

Github User Rank List