feat(okta): group-to-role mapping, user auto-provisioning and userinfo enrichment#6574
Open
an0nym21 wants to merge 7 commits into
Open
feat(okta): group-to-role mapping, user auto-provisioning and userinfo enrichment#6574an0nym21 wants to merge 7 commits into
an0nym21 wants to merge 7 commits into
Conversation
dosubot
Bot
added
size:L
an0nym21
force-pushed
the
feat/okta-group-role-mapping
branch
from
1abe3be to
e01b9bf
Compare
Okta group memberships included in the JWT `groups` claim can now be mapped to Keep roles through environment variables: OKTA_ADMIN_GROUPS=keep-admins,platform-team OKTA_NOC_GROUPS=keep-noc,ops-team OKTA_WEBHOOK_GROUPS=keep-webhooks When multiple groups match, the highest-privilege role wins (admin > noc > webhook). If no mapping is configured or no group matches, the previous fallback chain is preserved: `keep_role` claim → `role` claim → first group value → "noc" default. This mirrors the existing KEEP_OAUTH2_PROXY_*_ROLES mechanism and removes the need to configure custom claims on the Okta authorization server for group-based setups. Documentation updated accordingly.
Access tokens from Okta do not include group claims configured at the app level. Call /v1/userinfo on each request to retrieve groups, name, and email from the profile — falling back to JWT claims if absent. Adds OKTA_USERINFO_URL env var to override the default derived URL.
…sioning Also fix role fallback: unmapped groups should resolve to DEFAULT_ROLE_NAME when group mappings are configured, not use the raw group name as a role.
Okta app-level group claims (configured via Sign On → Group claim filter) are embedded in the ID token only — they do not appear in the access token or the /v1/userinfo response. Passing the ID token to the Keep API allows the backend to read the `groups` claim directly from the JWT payload and resolve the correct role via OKTA_*_GROUPS mappings. Changes: - auth.config.ts: use account.id_token instead of account.access_token for Okta; refresh flow also returns the new id_token; remove non-standard `groups` scope from the authorization request - okta_authverifier.py: skip userinfo call when `groups` is already present in the JWT (ID tokens cannot be used as bearer for the userinfo endpoint); downgrade userinfo log to debug to reduce PII exposure
an0nym21
force-pushed
the
feat/okta-group-role-mapping
branch
from
5537639 to
ad10d67
Compare
Codecov Report✅ All modified and coverable lines are covered by tests.
Additional details and impacted files@@ Coverage Diff @@
## main #6574 +/- ##
===========================================
- Coverage 46.28% 30.49% -15.79%
===========================================
Files 177 101 -76
Lines 18617 11735 -6882
===========================================
- Hits 8616 3579 -5037
+ Misses 10001 8156 -1845 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Contributor
Author
|
Hi 👋 — I've updated the PR description to accurately reflect the final implementation (the key insight was that Okta app-level group claims are only available in the ID token, not the access token or userinfo endpoint). Could someone take a look and let me know if anything is missing before this can be merged? Specifically:
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
How it works
Okta app-level Group Claims (configured under Sign On → OpenID Connect ID Token) are embedded in the ID token only — they do not appear in the access token or the `/v1/userinfo` response.
This PR switches the Okta auth flow to forward the ID token to the Keep API (matching the approach already used for Auth0 and OneLogin). The backend verifies the ID token signature via JWKS, reads the `groups` claim directly from the JWT payload, and resolves the highest-priority matching Keep role.
Role priority: `admin` > `noc` > `webhook`
Configuration example
Fixes #6573