Proposal
We have an internal OIDC provider that is able to send all groups of a user as a parameter in UserInfo. Vouch-Proxy should be able to check if the user is a member of a specific group and allow or deny access based on membership.
New fields added to configuration
TeamWhiteListClaim in oauthConfig. This is the parameter of UserInfo that contains an array of strings.
New behavior
If TeamWhiteList and TeamWhiteListClaim are set and the configured provider is oidc, vouch-proxy adds all intersecting teams to the users TeamMemberships attribute. It then uses the existing TeamMemberships logic to allow or deny access.
Use Case
I want to allow access to my service based on group membership instead of configuring individual users in my vouch-proxy config file.
I can't modify the application and still prefer to use Nginx as a webserver. I could implement it using NJS, but I don't want to add more complexity to the Nginx configuration.
Additional context
I implemented this feature based on the GitHub TeamWhiteList feature here: https://github.com/vouch/vouch-proxy/compare/master...maederm:vouch-proxy:oidc-teamwhitelist-support?expand=1
I'd open a pull request if this proposal gets accepted and I can also add tests if needed.
Limitations
- Scope that contains the claim referred in
TeamWhiteListClaim needs to be added to scopes key. This will likely increase the size of the JWT and headers.
- This proposal only enhances the oidc provider. It doesn't implement a generic RBAC feature.
- I used the
Team terminology to share the names with the GitHub feature and not having to re-implement team matching logic.
- The OIDC provider must deliver the Claim in the expected format (array of strings)
Related issues
#419 (oidc feature only), #175 (Generic RBAC feature)
Proposal
We have an internal OIDC provider that is able to send all groups of a user as a parameter in UserInfo. Vouch-Proxy should be able to check if the user is a member of a specific group and allow or deny access based on membership.
New fields added to configuration
TeamWhiteListClaimin oauthConfig. This is the parameter of UserInfo that contains an array of strings.New behavior
If
TeamWhiteListandTeamWhiteListClaimare set and the configured provider isoidc, vouch-proxy adds all intersecting teams to the usersTeamMembershipsattribute. It then uses the existingTeamMembershipslogic to allow or deny access.Use Case
I want to allow access to my service based on group membership instead of configuring individual users in my vouch-proxy config file.
I can't modify the application and still prefer to use Nginx as a webserver. I could implement it using NJS, but I don't want to add more complexity to the Nginx configuration.
Additional context
I implemented this feature based on the GitHub
TeamWhiteListfeature here: https://github.com/vouch/vouch-proxy/compare/master...maederm:vouch-proxy:oidc-teamwhitelist-support?expand=1I'd open a pull request if this proposal gets accepted and I can also add tests if needed.
Limitations
TeamWhiteListClaimneeds to be added toscopeskey. This will likely increase the size of the JWT and headers.Teamterminology to share the names with the GitHub feature and not having to re-implement team matching logic.Related issues
#419 (oidc feature only), #175 (Generic RBAC feature)