作者:每天吃的饱饱的 | 来源:互联网 | 2023-09-13 09:56
It would be nice to put a groups claim into the users identity. The most obvious place to start would be letting someone who is using an LDAP server with an RFC2307(bis) schema to be able to take their posixGroups list and put it into a claim as a JSON list.
cc
该提问来源于开源项目:dexidp/dex
- The number of groups a user belongs to for some organizations is huge. In this case the token size increases making it had to transport and store(Ex as a COOKIE in the browser). Filtering can be a solution here. But again it restricts how groups can be used by authz/policy.(And also how will the token be updated when the filter is changed?)
This has been brought up a few times internally. While a really big token is ugly, users should be working with these programmatically.
For transports that are sensitive to things this size, if the JWT holds information you don't need don't use it in those contexts. e.g. for a COOKIE, verify the JWT from dex, pull out the relevant groups and sign a smaller JWT yourself (or do caching, or store it, etc.).
If we don't expect global filters to be enough, perhaps we could add scopes to allow the client to filter groups as well?
- When group memberships change for a user in LDAP. How will they propagate to a token.
a. Will they be updated when a refresh token is used ?
b. Will the user have to login again and get a new token ?
Good point, the groups should update when a refresh token is redeemed. This would probably only work with an LDAP connector that's using a service account.
京公网安备 11010802041100号