This recipe describes how to configure K3s for OIDC authentication against an authentik instance.
This is a companion discussion topic for the original entry at https://geek-cookbook.funkypenguin.co.nz/kubernetes/oidc-authentication/authentik
This recipe describes how to configure K3s for OIDC authentication against an authentik instance.
Your article says " Remember how we setup a groups property-mapper when deploying authentik? "
I don’t see this step in the deploying authentik article. I tried adding a groups
Scope mapping in authentik with the expression return user.groups
, but i’m not getting the groups in the token.
It appears that group should come back automatically as part of authentik default OAuth Mapping: OpenID 'profile'
, as it’s expression contains. "groups": [group.name for group in request.user.ak_groups.all()],
. but it is not.
I’ve also tried appending --exec-arg=--oidc-extra-scope=groups
to the kubectl config set-credentials oidc
with no luck.
Any ideas?
Thanks!
The stated redirect URL in the provider config for authentik is wrong. Instead of http://localhost:18000 it is just http://localhost:8000
Hey, just ran into this same issue. Adding --exec-arg=--oidc-extra-scope=profile
to the login command seems to work, as groups get returned when requesting that scope.