Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's utilize group filtering in dex connector config by default for customers #2272

Closed
mogottsch opened this issue Apr 5, 2023 · 2 comments
Closed

Let's utilize group filtering in dex connector config by default for customers #2272

mogottsch opened this issue Apr 5, 2023 · 2 comments
Assignees
@mogottsch
Labels
needs/refinement Needs refinement in order to be actionable team/bigmac Team BigMac

Comments

@mogottsch
Copy link

Two problems:

  1. Headers of requests that go through nginx-ingress are too large, because the Bearer tokens contain too many group memberships
  2. Azure AD replaces the groups in the tokens with a description of how to get them, when there are too many groups. Dex is (probably) not compatible with this.

Several connectors have specific ways to limit the group memberships list.

Another benefit of group filtering is that if the user is not part of the configured groups dex won't issue a token at all.

The group names configured in rbac-operator should be present in the connector config. dex-operator can help to achieve this.

Todos

  • Add documentation in the public docs on OIDC and in the docs on how to create a management cluster and give recommendation on how to setup the connector config.
  • Talk to Teddyfriends about this
@gawertm gawertm added needs/refinement Needs refinement in order to be actionable and removed team/rainbow manuel labels Jun 20, 2023
@gawertm gawertm mentioned this issue Jun 20, 2023
Open
@mogottsch
Copy link
Author

Creating documentation on how to create a dex/dex-operator configuration is a duplicate of #1518.

@mogottsch mogottsch self-assigned this Sep 13, 2023
@architectbot architectbot added the team/bigmac Team BigMac label Sep 13, 2023
@mogottsch
Copy link
Author

Because in the future setup of the dex connector config will be done by dex-operator we will only add group filtering to the example in the docs and then close this.

@mogottsch mogottsch mentioned this issue Sep 13, 2023
Merged
@gawertm gawertm closed this as completed Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mogottsch mogottsch

Labels
needs/refinement Needs refinement in order to be actionable team/bigmac Team BigMac
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weatherhog @gawertm @mogottsch @architectbot