OIDC is not treating a single group returned as a string from JumpCloud as a valid group #22289
Description
Expected behavior and actual behavior:
When an OIDC claim for groups returns a string, it should treat this as a single group associated with the user. Instead, logs show an "Unable to get groups from claims" error and user is added with no groups.
Steps to reproduce the problem:
- Create a JumpCloud SSO app with the OIDC connector, set up to integrate with a Harbor instance
- Bind two groups to the JumpCloud app, ensuring the "Group Attributes" in JumpCloud matches the "Group Claim Name" in Harbor Authentication Configuration.
- (optional) In Harbor Authentication Configuration, set "OIDC Admin Group" as the first of your groups set up in JumpCloud. This is just to have immediate feedback as to if our OIDC user is being correctly mapped.
- Bind JumpCloud user to only the first JumpCloud group assigned access to Harbor.
- Attempt to log in to harbor via JumpCloud OIDC. Note that user is not a member of the specified group in Harbor. Note oidc logs with
docker logs harbor-core | grep oidc. - Bind JumpCloud user to the second JumpCloud group assigned access to Harbor. This forces JumpCloud to send the group claims key as a list of strings rather than a string.
- Attempt to log in to harbor via JumpCloud OIDC. Note that user is now a member of both of the groups in Harbor as expected.
Versions:
- harbor version: 2.13.2-436918f8
- docker engine version: 28.3.3
- docker-compose version: 2.39.1
Additional context:
- A previous bug report for this was opened here, issue #20779 and the initial bug reporter found a workaround of ensuring each user is a member of at least two groups. My use case involves some users only ever being a member of one group associated with the JumpCloud SSO app, and having to ensure that each user is added to a catch-all group when onboarded to Harbor, as well as removed when access is revoked is not feasible and is susceptible to human error and configuration drift between groups.
- In reading the OIDC spec, specifically Section 5.5: Claims, it seems to be ambiguous as to if the JSON returned should be a string or a list of strings if returning a single item.
Harbor config files:
N/A, please advise if needed. I used the online installer script.
Log files:
From when I am in just one group:
Warning level log: [WARNING] [/pkg/oidc/helper.go:417]: Unable to get groups from claims, claims: map[at_hash:redacted aud:[redacted] auth_time:1.756314489e+09 email:redacted email_verified:true exp:1.756318089e+09 family_name:redacted given_name:redacted groups_claim:Harbor Admin iat:1.756314489e+09 iss:https://oauth.id.jumpcloud.com/ jc_org:redacted jti:redacted middle_name:redacted name:redacted preferred_username:jredacted rat:1.756314488e+09 sid:redacted sub:redacted
Look at the groups_claim key in both decoded JWTs.
I turned on debug level logs to capture the JWT. Here's the decoded JWT for when I am a member of just one group:
{
"at_hash": "redacted",
"aud": [
"redacted"
],
"auth_time": 1756314489,
"email": "redacted",
"email_verified": true,
"exp": 1756318089,
"family_name": "redacted",
"given_name": "redacted",
"groups_claim": "Harbor Admin",
"iat": 1756314489,
"iss": "https://oauth.id.jumpcloud.com/",
"jc_org": "redacted",
"jti": "redacted",
"middle_name": "redacted",
"name": "redacted",
"preferred_username": "redacted",
"rat": 1756314488,
"sid": "redacted",
"sub": "redacted"
}And here are is my decoded JWT where I am a member of two groups:
{
"at_hash": "redacted",
"aud": [
"redacted"
],
"auth_time": 1756314410,
"email": "redacted",
"email_verified": true,
"exp": 1756318010,
"family_name": "redacted",
"given_name": "redacted",
"groups_claim": [
"Harbor RBAC Access",
"Harbor Admin"
],
"iat": 1756314410,
"iss": "https://oauth.id.jumpcloud.com/",
"jc_org": "redacted",
"jti": "redacted",
"middle_name": "redacted",
"name": "redacted",
"preferred_username": "redacted",
"rat": 1756314409,
"sid": "redacted",
"sub": "redacted"
}