Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Add access_token as an Optional Parameter to /auth/jwt/login for Group Fetching #264

Open
imre-kerr-sb1 opened this issue Nov 22, 2023 · 1 comment
Open

Feature Request: Add access_token as an Optional Parameter to /auth/jwt/login for Group Fetching #264

imre-kerr-sb1 opened this issue Nov 22, 2023 · 1 comment

Comments

@imre-kerr-sb1
Copy link

Description

I propose adding an access_token as an optional parameter to the /auth/jwt/login endpoint repository. This feature aims to enable Vault to use the provided access token to fetch a user's groups from Azure AD, specifically in cases where users are members of more than 200 groups.

Context

Currently, when using the JWT login method with Azure AD, users who are part of a large number of groups encounter limitations. The JWT login method supports only the ID token parameter and lacks the functionality to fetch groups using its own client ID and secret. This limitation becomes evident in scenarios where users are members of more than 200 groups, as the ID token includes claims indicating the groups are available via a separate endpoint.

Proposed Solution

  • Introduce an optional access_token parameter in the /auth/jwt/login endpoint.
  • This access token would be used by Vault to retrieve the user's group membership information from Azure AD.

Security Considerations

  • The implementation will ensure secure handling and storage of the access token to prevent unintended exposure.
  • The feature will be designed to align with OAuth 2.0 and OpenID Connect best practices and standards.

Contribution

I am willing to contribute to the coding and implementation of this feature. Before starting, I am seeking feedback on the security implications and the overall feasibility of this approach from the community and maintainers.

Request for Feedback

I would greatly appreciate any insights, concerns, or suggestions regarding this proposed feature, especially concerning security implications and best practices in the context of Vault and OAuth 2.0/OIDC standards.
@leonfibal
Copy link

Hello,

this is a serious blocker for us. Are there any plans for implementing this?

I add a link to the line where problem begins:

vault-plugin-auth-jwt/path_login.go

Lines 175 to 179 in b8833ce

alias, groupAliases, err := b.createIdentity(ctx, allClaims, roleName, role, nil)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}

tokenSource is nil and the result of login attempt is:

* failed to fetch groups: "groups" claim not found in token: token unavailable to call Microsoft Graph API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leonfibal @imre-kerr-sb1