Groups from Cognito passed as string instead of list #13701
-
Hi all. I have an ArgoCD implementation where I have 2 SSO sources consolidated through AWS Cognito. The reason there are 2 is because of working with a 3rd party with their own SSO. I have standard OIDC config setup like:
and RBAC:
The problem is that its possible (in each SSO source) for the user to be in multiple groups. When it reaches ArgoCD, the groups look like
So the group appears to be one long string in ArgoCD. This happens if the source is either SSO source. If the user (in either org) is in two groups, it breaks RBAC. Is there a way to split those groups at ArgoCD so if the group matches one I care about it passes? I've tried both with the standard OIDC config and the Dex config. Both behaviors are the same. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
Are you using a custom attribute in Cognito or are you using the Cognito Groups for |
Beta Was this translation helpful? Give feedback.
-
@jhodnett2 @carlosElopezVecino same here. Think this is more an issue with Cognito rather than argo-cd since all custom attributes are strings or numbers and there is no way to transform these built-in. I solved it by adding a pre-token lambda that takes my custom-attribute (that I get from one of the IdPs) I also do some other things like rename/prefix the groups when adding them (since my IdP only returns uuids for the groups). And when done I also remove the Let me know if you want the lambda code + tests (it's very small) and if you want the terraform code for it as well. |
Beta Was this translation helpful? Give feedback.
@jhodnett2 @carlosElopezVecino same here. Think this is more an issue with Cognito rather than argo-cd since all custom attributes are strings or numbers and there is no way to transform these built-in.
I solved it by adding a pre-token lambda that takes my custom-attribute (that I get from one of the IdPs)
custom:groups
and adds them intocognito:groups
(since that is a list in the token).I also do some other things like rename/prefix the groups when adding them (since my IdP only returns uuids for the groups).
And when done I also remove the
custom:groups
claim from the token to avoid any confusion.Let me know if you want the lambda code + tests (it's very small) and if you want the t…