feat(okta): group-to-role mapping, user auto-provisioning and userinfo enrichment#6574
Open
an0nym21 wants to merge 4 commits into
Open
feat(okta): group-to-role mapping, user auto-provisioning and userinfo enrichment#6574an0nym21 wants to merge 4 commits into
an0nym21 wants to merge 4 commits into
Conversation
dosubot
Bot
added
size:L
Okta group memberships included in the JWT `groups` claim can now be mapped to Keep roles through environment variables: OKTA_ADMIN_GROUPS=keep-admins,platform-team OKTA_NOC_GROUPS=keep-noc,ops-team OKTA_WEBHOOK_GROUPS=keep-webhooks When multiple groups match, the highest-privilege role wins (admin > noc > webhook). If no mapping is configured or no group matches, the previous fallback chain is preserved: `keep_role` claim → `role` claim → first group value → "noc" default. This mirrors the existing KEEP_OAUTH2_PROXY_*_ROLES mechanism and removes the need to configure custom claims on the Okta authorization server for group-based setups. Documentation updated accordingly.
Access tokens from Okta do not include group claims configured at the app level. Call /v1/userinfo on each request to retrieve groups, name, and email from the profile — falling back to JWT claims if absent. Adds OKTA_USERINFO_URL env var to override the default derived URL.
…sioning Also fix role fallback: unmapped groups should resolve to DEFAULT_ROLE_NAME when group mappings are configured, not use the raw group name as a role.
an0nym21
force-pushed
the
feat/okta-group-role-mapping
branch
from
1abe3be to
e01b9bf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OKTA_ADMIN_GROUPS,OKTA_NOC_GROUPS,OKTA_WEBHOOK_GROUPSenv vars to map Okta group membership to Keep roles/v1/userinfoendpoint on each request to retrieve group claims (not present in access tokens by default)OktaIdentityManager.get_users()which previously returned an empty listOKTA_USERINFO_URLenv var to override the userinfo endpoint URLdocs/deployment/authentication/okta-auth.mdxHow it works
Okta app-level Group Claims are included in the ID token and userinfo response, but not in the access token. Keep verifies the access token (Bearer), so groups were always empty. This PR calls
/v1/userinfowith the Bearer token after JWT verification to retrieve the groups, then resolves the highest-priority matching role.Role priority:
admin>noc>webhookConfiguration example
Fixes #6573