New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obtaining Azure Groups when there are too many to put in JWT #1195
Comments
I think OPA is quite limited in that regard. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Azure can only return a certain amount of groups in the JWT.
When there are too many groups to return, Azure returns the
hasGroups=true
attribute. I don't know what the exact threshold is, but this is by design to avoid going over the URL length limit in the browser. According to the comment I've linked, the group limit is 4, which seems awfully low. If that's true, this issue will occur is very many companies if they want to use Azure to manage security groups when interfacing with Tweek.It would be nice if Tweek supported this in order to obtain group information to so that users can use Azure security groups to manage application level access.
Azure has a Graph API that you can use to inquire about full group membership, or about membership to a particular group.
I'm imagining something like the following would occur if
hasGroups: true
is returned from Azure instead of group information.The graph API has the following formats
Get all groups a user belongs to:
GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
Inquire whether the user belongs to a specific group:
POST https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version
I imagine this behavior could be optional, to only occur if a value for the graph API is set in the
gateway-configmap.yaml
, and ifhasGroups
is true, and nogroups
array is returned.Is this something Tweek can/should support? Or, is this something that should be done on the user's end in the OPA defined JWT extraction policy?
The text was updated successfully, but these errors were encountered: