Is there anyway to create a user in Harbor when OIDC mode is on?

[zcnzcnzcn]

Hi there,

I read thru the doc and I'm aware that no manual adding users will be allowed once OIDC mode is on in Harbor. But I'm wondering if there's still a way to achieve that (create the user in Harbor before it is onboarded by login with OIDC provider the first time)

Thanks!

[wy65701436]

Right, there is no way to do it. Can you give more details about why you have to add the user manually rather than auto onboarded?

[zcnzcnzcn]

I wanted to assign memberships before the users exists in the system. Like assign a user/group with project admin to some of the projects, and the user/group will get the related permissions the first time they get onboarded.

[Vad1mo]

What you describe is the perfect use case for OIDC. you can oboard users in harbor that have already permission to certain projects.

THe best way to do this is creating a group and assign that group to a project. OIDC user can be added to groups on OIDC side, this way you can assign new users automatically to a project.

[juliohm1978]

I think the issue runs deeper than saying "just add users in your OIDC provider".

Ideally, I think it would be better to have some way to keep administrative users manually added. If the OIDC provider is offline, then absolutely NO ONE can authenticate. And, in some cases, that could be critical to solving problems while recovering from broad failures and catastrophes.

I have to agree, that's an edge case, but still a valid concern.

[Vad1mo]

The admin user is the only local user who is always able to login (with or without working oidc). There could be more functionality like a mix of local and remote, but the chosen path in Harbor represents aligned with other software solutions. It covers the most uses cases such as the one described by @zcnzcnzcn

[till]

I found this via google (originally I commented on #16647). I can use all APIs with the admin user, but I cannot use all APIs (without another token dance) with users that were setup via OIDC. So adding the capabilities to directly add accounts would be appreciated.

[Vad1mo]

What we do is, we create groups in harbor and assign the user to that groups in our IDP, so when the user logins the first time he is automatically in the right groups. You can test it in our env c8n.io

However, I have seen some examples in the past how people onboard users with OIDC, but I can't find any issues/discussions describing the flow.

[till]

Not sure I follow. I think this is not about group membership, but let me know if it is.

For completeness (or to explain what we are doing): The user account I am testing with is in our IDP (which is very limited, e.g. not fully OIDC compliant).

I can login with the account (from our IDP) via the Harbor UI. I can also use basic auth (with username and CLI secret). Once authenticated I can create a new project and also query /projects (to confirm it exists).

I haven't figured out all the calls which are broken but so far I found the following API routes (these are the calls I need):

• /users/current
• /projects/ID
• /projects/ID/robots

I am assuming the culprit is described in #16647. Instead of using the CLI secret (and basic authentication), I should use a bearer token for authentication (via our IDP) to make the call. So this is described in that ticket and seems to be a bug.

Anyway, long story short — all the calls I mentioned above work fine (with basic auth) with the Harbor admin account, which is a local user. Therefor I would prefer to add another account to the database and deal with this later.

[thw0rted]

I know this is a super old thread but I think I have a use case that @Vad1mo / @wy65701436 might find interesting.

We are managing access to our Harbor instance using an in-house coordination tool that also integrates with a number of other products. (Our Harbor uses OIDC for login.) The tool uses the Harbor API to grant permissions to projects, for users who may not have logged in yet. We create a usergroup and assign project permissions to it, and on the SSO provider side (Keycloak) we set up group membership for the user.

Here's our "user creation" issue. We have to make the Harbor API calls using admin powers, because our tool can create usergroups and assign permissions to any project. But we want the tool to authenticate using an individual (attributable) service account, not the shared root-user admin / recovery username and password. We created a Keycloak client which can pull an OIDC access token, then send that in a Bearer header. This works, but first we need Harbor to know about the client. So, we have to assign a username and password to the client, and set up our OIDC login flow in Keycloak to allow user/pass auth -- we can browse to Harbor, log in with the KC client's user+pass, go through the initial user onboarding process (selecting a Harbor username), and now we have a Harbor User record for that KC client. At this point an existing Harbor admin can go to the User list and enable Admin permissions for it. Afterwards, we can remove the user+pass from the client and disable user+pass login for our OIDC flow -- the User has been created and associated with the OIDC userinfo record (subject etc), so when it provides a Bearer token on subsequent calls, Harbor knows who it's talking to, and that the "User" (client) has admin powers.

It would be much easier if we could visit some API endpoint, presenting a Bearer token for the KC client, and have a Harbor User record created. Afterwards an existing Admin could visit the User list in Harbor and enable Admin permissions for the client.

Related issues: #16794 , #16047, #13610