Proposal: oauth2 mapping to provide roles with user info


I am currently using SAML for authentication which also takes care of roles through the memberOf field. I am transitioning to OpenId Connect (OAuth2) to provide authentication but this does not seem to be able to provide roles to a user. When I authenticate roles are passed back in the user information, but Spinnaker does not map them to the Spinnaker user. Is there a way to provide roles with OpenID Connect? Or am I missing something? I am on Spinnaker 1.10.2.

I would like to propose a new mapping for oauth2 that would allow roles to be passed along with email, name, etc. I am hoping that it will operate similarly to how SAML works with the memberOf field. The Github teams and Google groups have an implementation have authz, but the bring-your-own-provider lacks authz. Providing an optional roles mapping would fill that gap (though it would suffer the same static nature as the SAML provided roles).

My specific use case is that we have OpenID Connect (through PingFed) that is integrated with Active Directory. The provides roles along with user information. I would like to be able to use this information for authorization.



This would be useful for us too. We currently use GitLab oauth with Spinnaker and group membership is available via the right scope. Happy to test and provide info, outputs etc.


What OAuth provider are you using that includes roles?


We use a Ping Federate hosted OpenID Connect. It allows us to map roles from active directory as part of the identity of the user.