How to create user, identity and map user and identity in OIDC authentication for 'mappingMethod' as 'lookup'

Solution Unverified - Updated

Environment

  • RedHat OpenShift Container Platform 4.x

Issue

  • OIDC users and identity inside the Red Hat OCP cluster will not be created automatically when 'mappingMethod' as 'lookup' inside the OAuth manifest
  • How to prevent all OIDC users from logging in
  • Administrator wants to create user object and grant permission to user object before the actual OIDC user logins

Resolution

What is 'mappingMethod' as 'lookup' inside the OAuth manifest?

  • Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities
  • This allows cluster administrators to set up identities and users manually, or using an external process
  • Using this method requires you to manually provision users

Create User

  • Creating a user with username as 'myuser'
 $ oc create user myuser

Create the Identity where the sub claim value should be unique. By default OIDC provider may use the OIDC providerusername as the sub claim value which is not unique in which case, you can configure a mapper in OIDC to map username (or other unique attributes like UID etc) to sub claim value

oc create identity  <oidcprovidername>:<sub claim value>

User and identity Mapping

  • After the creation of user and identity, map both by using the user and identity mapping.
oc create useridentitymapping   <oidcprovidername>:<sub claim value> myuser

Diagnostic Steps

Check user and identity and do the test login

    $ oc get user
    $ oc get identity
    $ oc login -u myuser -p <oidc password  for myuser>

If the result is unexpected, enable the oauth debug log and check the Pod logs

 $ oc edit authentications.operator
    spec:
      logLevel: Debug # <======

    $ oc get pods -n openshift-authentication
    $ oc logs oauth-openshift-XXXXXX -n openshift-authentication
SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.