Is team membership case sensitive?


#1

My username in my OIDC provider is "MattS@domain.com", but when I add that user to the main team, it is returned lowercase. In this example, concourse is an existing local user.

$ fly -t concourse-helm set-team -n main --oidc-user MattS@domain.com --local-user concourse
Team Name: main

Users:
- oidc:matts@domain.com  <==== note lower case
- local:concourse

Groups:
- none

apply configuration? [yN]:

Great, but when I log into the UI as “MattS”, the UI does not report that I am a member of any team, and I cannot see a pipeline created by the “concourse” local user.


#2

hello,

I hope that if you on the other hand log into the Concourse web UI with lowercase matts, then you can see pipelines.

In any case, it looks like a bug to me. Could you please open a ticket on github ? (disclaimer: I am just an happy user, not a member of the Concourse team).


#3

The uppercase letters in my OIDC user name are fixed by my auth provider and can’t be changed, so I can’t choose to log into the UI as “matts” (lowercase). If I find solid repro steps I’ll open a bug, but I can’t imagine this hasn’t been discovered and solved already if it’s really a thing…


#4

This isn’t the problem after all. The problem seems to be that the OIDC username claim requested by Concourse doesn’t map to an appropriate field in the claim returned by Okta. Based on this issue, it looks like this is also a problem with Azure AD, UAA, and possibly other auth providers.

Since the username captured by the OIDC auth process is empty, I don’t actually get added to the team on the set-team command.


#5

Well, that’s not correct either. Apparently Concourse uses the sub claim returned from the OIDC provider which can be used to assign a user to a Concourse team, but it’s not easy or obvious to get the sub value.