-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
discuss: change policy to support unique entity id's only #573
Comments
I think a reasonable solution is to add both Group ID and a user-friendly name to the group membership mapping. Though there would be a bit more data duplication, and it puts the onus of using an appropriate identifier on the operator, I think this is probably the best of both worlds. |
Right now with Github, none of
I understand that |
Hmm, if my Google groups are postfixed with the domain why can't Pomerium do the same for Github? Also the id seems to be shifted from a unique var to a fixed name for Github, also tried authenticating through the team id. Current google implementation example:
Current Github implementation example:
The samples above are taken from the Expected Github example:
|
Is your feature request related to a problem? Please describe.
Pomerium currently supports writing declarative authorization policy using
allowed_users
,allowed_groups
, andAllowedDomains
.OIDC has very few "standardized" claims.
Some providers return all the data pomerium would want as part of the returned ID TOKEN however, that's the exception to the rule. For identity providers that do not provide fields like email, and group details, the authenticate service makes follow API calls to the identity provider to fully 'hydrate" pomerium user session.
Unfortunately, currently this means
allowed_users
orallowed_groups
means different things to pomerium's policy depending on what identity provider you are using.For groups, this means:
[email protected]
) which is unique, but not immutableFor users:
This has caused confusion and possibly unintended security issues in the past when identity providers like GitLab used
name
to map group entities to policy.This is complicated even further when some providers like Azure AD are not guaranteed to return a user's email at all. #520
Describe the solution you'd like
Policies should be written using entities unique id only (typically
sub
for user, andid
for groups as part of the follow up group api call).PRO
CON
Describe alternatives you've considered
Keep things as is they are.
Explain any additional use-cases
Additional context
The text was updated successfully, but these errors were encountered: