-
Notifications
You must be signed in to change notification settings - Fork 55
Expand file tree
/
Copy pathmaas-api-auth-policy-oidc-patch.yaml
More file actions
38 lines (38 loc) · 1.41 KB
/
maas-api-auth-policy-oidc-patch.yaml
File metadata and controls
38 lines (38 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: maas-api-auth-policy
spec:
rules:
authentication:
# Match JWT-shaped bearer tokens first so external OIDC can coexist
# with opaque OpenShift tokens handled by TokenReview.
oidc-identities:
when:
- predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-") && request.headers.authorization.matches("^Bearer [^.]+\\.[^.]+\\.[^.]+$")'
jwt:
issuerUrl: https://oidc.example.invalid/realms/maas
priority: 1
openshift-identities:
when:
- predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
priority: 2
response:
success:
headers:
X-MaaS-Username-OC:
plain:
$patch: replace
expression: >-
has(auth.identity.preferred_username) ?
auth.identity.preferred_username :
(has(auth.identity.sub) ? auth.identity.sub : auth.identity.user.username)
X-MaaS-Group-OC:
plain:
$patch: replace
expression: >-
has(auth.identity.groups) ?
(size(auth.identity.groups) > 0 ?
'["system:authenticated","' + auth.identity.groups.join('","') + '"]' :
'["system:authenticated"]') :
'["' + auth.identity.user.groups.join('","') + '"]'