Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obtaining Azure Groups when there are too many to put in JWT #1195

Open
lucas-rudd opened this issue Jan 30, 2020 · 1 comment
Open

Obtaining Azure Groups when there are too many to put in JWT #1195

lucas-rudd opened this issue Jan 30, 2020 · 1 comment

Comments

@lucas-rudd
Copy link

Azure can only return a certain amount of groups in the JWT.

When there are too many groups to return, Azure returns the hasGroups=true attribute. I don't know what the exact threshold is, but this is by design to avoid going over the URL length limit in the browser. According to the comment I've linked, the group limit is 4, which seems awfully low. If that's true, this issue will occur is very many companies if they want to use Azure to manage security groups when interfacing with Tweek.

It would be nice if Tweek supported this in order to obtain group information to so that users can use Azure security groups to manage application level access.

Azure has a Graph API that you can use to inquire about full group membership, or about membership to a particular group.

I'm imagining something like the following would occur if hasGroups: true is returned from Azure instead of group information.

if (hasGroups)
  Call the Graph to inquire:
else
  Access groups directly from the token

The graph API has the following formats

Get all groups a user belongs to:
GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Inquire whether the user belongs to a specific group:
POST https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version

I imagine this behavior could be optional, to only occur if a value for the graph API is set in the gateway-configmap.yaml, and if hasGroups is true, and no groups array is returned.

Is this something Tweek can/should support? Or, is this something that should be done on the user's end in the OPA defined JWT extraction policy?
@Yshayy
Copy link
Contributor

Yshayy commented Feb 24, 2020

I think OPA is quite limited in that regard.
In general, I think this can be solved by implementing a server-flow authentication instead of the implicit flow which will make it works with more auth providers. Adding support of server flow to Tweek can be useful. (probably should be implemented in gateway layer)
For completeness, we also need #1066 to be able to consume all groups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Yshayy @lucas-rudd