Use of authentication.oidc.groups_claim ? RBAC rules based on external group membership?

tpanza · July 1, 2025, 1:59am

Description

Running a self-hosted Weaviate on an on-prem k8s cluster in a corporate environment. I am trying to understand options for configuring RBAC in Weaviate.

I currently have authentication via OIDC working, using my company’s PingFederate IdP. Part of the JWT provided by the IdP is a field called memberOf. This is a list of all of the Active Directory groups that the authenticated person is a member of.

In my Helm values.yaml file, I set the authentication.oidc.groups_claim to memberOf.

Is there a way for Weaviate to use these “external” group memberships to build RBAC roles / permissions? I see in the docs and tutorial information on what is essentially internally managed groups.

But is there a way to use externally-supplied group membership of the authenticated OIDC user in some way?

If not, what is the purpose of authentication.oidc.groups_claim in the Helm chart? I have not seen much, if any, documentation on the purpose and usage of this field.

Just trying to understand options.

Server Setup Information

Weaviate Server Version: 1.31.4
Deployment Method: k8s
Multi Node? Number of Running Nodes: 1
Client Language and Version: Python 3.12.4, weaviate-client==4.15.0
Multitenancy?: no

Any additional Information

Self-hosted / BYOC / on-prem RKE2 kubernetes cluster

DudaNogueira · July 1, 2025, 6:46pm

hi @tpanza !!

Welcome to our community

AFAIK, you need to set authentication.oidc.groups_claim according to your JWT and then create those roles with the same name in Weaviate.

Let me know if this works out for you!

THanks!

tpanza · July 2, 2025, 1:41am

thanks @DudaNogueira . I’ll try it, but a worked example would be very helpful. I’m a little unclear on what “create roles with same name in Weaviate” entails.

Dirk · July 2, 2025, 6:24am

Hello @tpanza,

support for groups is there, but it is a bit hidden right now because it is not finished.

You can do:

set the groups_claim as you mentioned above
create the roles you need
assign and revoke these roles to your groups via REST calls. You can check the json-schema for the syntax: weaviate/openapi-specs/schema.json at e897bed9e0a363615e6861f9cc2647fa843ce731 · weaviate/weaviate · GitHub - THIS MIGHT CHANGE AND BREAK! USE AT YOUR OWN RISK!
Currently only the root user can do the group assignments

tpanza · July 2, 2025, 6:37am

Thanks @Dirk ! Would you know an approximate schedule for groups being finished?

Dirk · July 2, 2025, 7:43am

Probably during the 1.33 cycle but I cannot promise it

Topic		Replies	Views
Add admin user into authorized list without restart Support	5	171	June 21, 2024
Meta endpoint! Unexpected status code: 401, with response body: {'code': 401, 'message': 'anonymous access not enabled, please provide an auth scheme such as OIDC'} Support	6	438	March 15, 2025
AUTHENTICATION_APIKEY_ENABLED: 'true' throwing oidc auth not configured error General	8	858	May 10, 2024
Multi- teams project and permission within weaviate Support	1	81	June 27, 2024
OIDC configuration - Weaviate Support	5	443	April 29, 2024

Use of authentication.oidc.groups_claim ? RBAC rules based on external group membership?

Description

Server Setup Information

Any additional Information

Related topics