Groups from Cognito passed as string instead of list

[jhodnett2]

Hi all.

I have an ArgoCD implementation where I have 2 SSO sources consolidated through AWS Cognito. The reason there are 2 is because of working with a 3rd party with their own SSO. I have standard OIDC config setup like:

issuer: https://cognito-idp.us-east-1.amazonaws.com/******
clientID: ******
clientSecret: $oidc.clientSecret
requestedScopes: ["openid", "email", "profile"]
requestedIDTokenClaims: {"groups": {"essential": true}, "custom:groups": {"essential": true}}
cliClientID: ******
name: SSO

and RBAC:

data:
  policy.csv: |
    g, argocd-admin, role:admin
    g, DevOps, role:admin
    g, AM, role:admin
    g, SecOps, role:admin
  policy.default: |
    role:readonly
  scopes: '[cognito:groups, custom:groups]'

The problem is that its possible (in each SSO source) for the user to be in multiple groups. When it reaches ArgoCD, the groups look like

"[Dev, AM]"

So the group appears to be one long string in ArgoCD. This happens if the source is either SSO source. If the user (in either org) is in two groups, it breaks RBAC.

Is there a way to split those groups at ArgoCD so if the group matches one I care about it passes?

I've tried both with the standard OIDC config and the Dex config. Both behaviors are the same.

[abacus3]

Hi all.

I have an ArgoCD implementation where I have 2 SSO sources consolidated through AWS Cognito. The reason there are 2 is because of working with a 3rd party with their own SSO. I have standard OIDC config setup like:

issuer: https://cognito-idp.us-east-1.amazonaws.com/******
clientID: ******
clientSecret: $oidc.clientSecret
requestedScopes: ["openid", "email", "profile"]
requestedIDTokenClaims: {"groups": {"essential": true}, "custom:groups": {"essential": true}}
cliClientID: ******
name: SSO

and RBAC:

data:
  policy.csv: |
    g, argocd-admin, role:admin
    g, DevOps, role:admin
    g, AM, role:admin
    g, SecOps, role:admin
  policy.default: |
    role:readonly
  scopes: '[cognito:groups, custom:groups]'

The problem is that its possible (in each SSO source) for the user to be in multiple groups. When it reaches ArgoCD, the groups look like

"[Dev, AM]"

So the group appears to be one long string in ArgoCD. This happens if the source is either SSO source. If the user (in either org) is in two groups, it breaks RBAC.

Is there a way to split those groups at ArgoCD so if the group matches one I care about it passes?

I've tried both with the standard OIDC config and the Dex config. Both behaviors are the same.

Are you using a custom attribute in Cognito or are you using the Cognito Groups for Dev and AM groups information?
Could you share the entire, sanitized, JWT?

[carlosElopezVecino]

I have the same issue. This is the response with custom:group only:

{
    "loggedIn": true,
    "username": "XXXXXX",
    "iss": "https://cognito-idp.us-east-1.amazonaws.com/XXXXXX",
    "groups": [
        "[XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-c6ee8b5a1f75, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX]"
    ]
}

[nuttmeister]

@jhodnett2 @carlosElopezVecino same here. Think this is more an issue with Cognito rather than argo-cd since all custom attributes are strings or numbers and there is no way to transform these built-in.

I solved it by adding a pre-token lambda that takes my custom-attribute (that I get from one of the IdPs) custom:groups and adds them into cognito:groups (since that is a list in the token).

I also do some other things like rename/prefix the groups when adding them (since my IdP only returns uuids for the groups).

And when done I also remove the custom:groups claim from the token to avoid any confusion.

Let me know if you want the lambda code + tests (it's very small) and if you want the terraform code for it as well.