OIDC username storage and mapping to login username

Hi I’m trying to use an OIDC connector to manage users connecting to teleport. I’ve worked through configuring the connector and after some false starts have it connecting and creating a user inside teleport.

The user it creates has an email username someuser@example.com and there is a username of ‘someuser’ in traits of the user record. However when I try to login to a server it send the email as the username and naturally fails. The role I’m using has ‘{{external.username}}’ as the allowed logins so I’d have expected it to use ‘someuser’ not ‘someuser@example.com’

kind: role
metadata:
id: 1564159390179270517
name: somerole
spec:
allow:
logins:
- ‘{{external.username}}’

I’ve looked through the code and it does seem that using the email as the ‘username’ is intentional https://github.com/gravitational/teleport/blob/master/lib/auth/oidc.go#L400.

What should I do here to select the correct trait and avoid it sending the email in an ssh request. Is there some other logins templating I can use in my role?

thanks!

Steve

I looked into this issue. When I tried, it looks like actually a value for username does get passed through and should be usable.

I set these two custom values for username and login up on Auth0 and then logged into my test cluster, these are the claims:

DEBU [AUTH]      OIDC claims: map[app_metadata:map[login:webvictim roles:[gravitational/admins gravitational/devc gravitational/wikireaders] username:webvictim] aud:V0vOv0093JCBlGctSWA7vELnV0ufTazN awsRole:arn:aws:iam::126027368216:role/auth0-admin,arn:aws:iam::126027368216:saml-provider/auth0 awsRoleSession:gus clientID:V0vOv0093JCBlGctSWA7vELnV0ufTazN created_at:2019-02-14T16:21:19.875Z email:gus@gravitational.com email_verified:true exp:1.564723786e+09 family_name:Luxton given_name:Gus iat:1.564687786e+09 identities:[map[connection:google-oauth2 isSocial:true provider:google-oauth2 user_id:102645889361203966163]] iss:https://gravitational.auth0.com/ locale:en login:webvictim name:Gus Luxton nickname:gus picture:https://lh6.googleusercontent.com/-cEVzNGlb4lY/AAAAAAAAAAI/AAAAAAAAAAg/uxllcFwFjVk/photo.jpg roles:[gravitational/admins gravitational/devc gravitational/wikireaders] sub:google-oauth2|102645889361203966163 updated_at:2019-08-01T19:29:45.397Z user_id:google-oauth2|102645889361203966163 user_metadata:map[] username:webvictim]. auth/oidc.go:200

This is my role:

root@gus-main-auth-0:/# tctl get role/clusteradmin
kind: role
metadata:
  id: 1564677466543247436
  name: clusteradmin
spec:
  allow:
    kubernetes_groups:
    - system:masters
    logins:
    - root
    - '{{external.username}}'
    node_labels:
      '*': '*'
    rules:
    - resources:
      - '*'
      verbs:
      - '*'
  deny:
    logins: null
  options:
    cert_format: standard
    forward_agent: true
    max_session_ttl: 12h0m0s
    port_forwarding: true
version: v3

This is what i get from tsh login when i login with Auth0:

$ tsh login --proxy=gus-main.gravitational.co
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:34055/6797e5df-cac0-4fa9-8ce6-267f494a149b
> Profile URL:  https://gus-main.gravitational.co:3080
  Logged in as: gus@gravitational.com
  Cluster:      gus-main.gravitational.co
  Roles:        clusteradmin*
  Logins:       root, webvictim
  Valid until:  2019-08-02 04:29:46 -0300 ADT [valid for 12h0m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

The logins value is populated correctly as I’d expect.

What SSO provider are you using here?

thanks for the reply Gus, I’m using AWS cognito here for a POC.

if do a tsh status i see

Profile URL: http s://somehost:3080
Logged in as: somedev@domain.com
Cluster: somecluster
Roles: dev*
Logins: somedev
Valid until: 2019-07-27 09:34:55 +0100 IST [EXPIRED]
Extensions: permit-port-forwarding, permit-pty

  • RBAC is only available in Teleport Enterprise

i see ‘somedev’ there like you see root, webvictim so I’d have expected it to use ‘somedev’ to login the host

in the logs i see
OIDC claims: map[at_hash:KtwwHq3WpsWxh2Q560fA aud:7mplejnte8e5rs3j823d auth_time:1.564173294e+09 cognito:groups:[dev] cognito:username:somedev email:somedev@somedomain.com email_verified:true exp:1.xxx4e+09 iat:1.564173xxx09 iss:http s://cognito-idp.us-east-1.amazonaws.com/us-east-1xxxxxF3 sub:e96d0332-83a1-431c-bd87-esssss token_use:id username:somedev]

(spaces in links are intentional here so I can post)

That all looks fine to me. What happens when you log into the cluster and then tsh ssh somedev@somehost?

(tsh uses your local username on the client where you’re running it by default, so if that isn’t somedev then you need to explicitly specify the username - either with tsh ssh somedev@somehost or tsh ssh -l somedev somehost)