Support for an arbitrary set of claims (including user defined claims) #1182
Comments
|
I would be happy if we can support at least the OpenID Standard claims 5.1 Standard Claims |
|
For what it's worth (though, full-disclosure: I also work @DecipherNow) I also need this before we can use Dex to front identity providers that specify (potentially complex) user security attributes in custom claims. I would also be happy to help contribute the necessary improvements with @cstrahan, if we could be reasonably certain of general interest. |
Well there's 10 👍 on this issue now. 🤷♂️ 😃 I'm desiring to use Dex for a Hasura authentication backend, but the issue is that Hasura expects certain specific claims that Dex will not provide. I need to be able to take the claims that Dex can derive such as username and groups and transform them into the Hasura accepted claims. For example I need to go from this: {
"iss": "http://123.456.789.100:5556/",
"sub": "Caieoruqopier",
"aud": "testapp",
"exp": 1593188378,
"iat": 1593101978,
"nonce": "qpoireioquweiorpq",
"at_hash": "t-asdfjalskdfjl",
"email": "[email protected]",
"email_verified": true,
"groups": [
"admin",
"staff"
],
"name": "Dude"
}And I need to convert it to: {
"iss": "http://123.456.789.100:5556/",
"sub": "Caieoruqopier",
"aud": "testapp",
"exp": 1593188378,
"iat": 1593101978,
"nonce": "qpoireioquweiorpq",
"at_hash": "t-asdfjalskdfjl",
"email": "[email protected]",
"email_verified": true,
"groups": [
"admin",
"staff"
],
"name": "Dude",
"https://hasura.io/jwt/claims": {
"x-hasura-allowed-roles": ["admin", "staff"],
"x-hasura-default-role": "admin",
"x-hasura-user-id": "[email protected]"
}
}I would need some way to create fill out these custom claims, though. I'm thinking something like this in the config YAML: - type: github
# Provider options...
# Custom claims could be used on any provider type
customClaims:
https://hasura.io/jwt/claims:
# Use go template language for values and the existing claims as inputs
# to the template.
x-hasura-allowed-roles: {{ groups }}
x-hasura-default-role: {{ index groups 1 }}
x-hasura-user-id: {{ email }} |
|
Update: Just found this PR ( hasura/graphql-engine#3575 ) in Hasura which makes this unnecessary for my particular use-case, I think, but I still think that custom claims would be a great feature. |
|
Now that I think about it, I could still use a way to get more information about the user from certain backends like LDAP. For example, I want to know the users username ( in LDAP it's the I think different connectors would need different connector-specific ways of adding custom claims that are based on the connector data ( such as LDAP ), but all connectors could support static/templated custom claims like the YAML example above. |
|
At the simplest level, custom claims could configured explicitly:
and stored either in YAML or in a SQL/etcd backend (with API maintenance). That would cover my use cases, as long as custom claims includes being able to add custom groups. It looks like there are two further suggestions:
I think those would be done most flexibly by spawning a child process which takes JSON on stdin and returns updated or additional claims on stdout. Then it can be written in whatever language you like, and use whatever data sources you like. |
|
What is the status of this issue? I would need this feature as minIO needs custom claim "policy" (possible values: "writeonly", "readonly", "readwrite"). |
FWIW - You can configure custom claims @KairaMiu
|
|
Not all IDPs let you choose the names of your groups though. For example, using Azure AD as your IDP, I believe all the groups are UUIDs. Maybe you can rename your STS policies with those UIUD names, but it's not ideal. In general, I see a tension between IDPs and applications:
I see Dex in the middle as a way to resolve this, if it can add extra claims for specific users and/or specific groups - perhaps scoped to individual consuming applications, so that other apps don't see irrelevant or conflicting claims. |
|
I think Dex could probably help with this, #1635 could possibly provide an opportunity to alter claims, but I'm also concerned this is an infinitely deep rabbit hole we might not want to go down to. I wouldn't want to clutter Dex with application specific logic. As long as we can keep the core clean and provide extension points, I'm all in. |
|
I think that makes sense, although I'd also like to see either
This is to avoid having static users/passwords in one place managed by one API, while the claims and group memberships are stored in a different place managed by a different API. |
|
I have another concrete example of where custom claims could be used. PostgREST, a REST front-end to Postgres, uses JWT claims to perform authorization. Specifically, it requires: to switch to a particular postgres role for this user. (The code inside the database can also look at additional claims such as "email" if required, but "role" is mandatory to start this process) Therefore, it would be extremely useful if I could attach this claim to specific users and/or groups. This also makes something clear to me: adding such custom claims should be specific to the Dex client (audience). It's pointless adding a PostgREST "role" claim for tokens destined to a different audience; and in the worst case, two different apps may use the "role" claim for different purposes. Hence I think custom claims should be attached to To be most useful, I believe these custom claims should be in Dex's own data store (i.e. etcd, sqlite or whatever). These could then be managed via the gRPC interface. Whilst the LDAP backend could also be extended for custom claims, I consider the LDAP backend to be a "connector" like the Github or Google connectors: a remote source of truth, which you may not want to meddle with (e.g. a corporate Active Directory where you are not allowed to alter the schema). [^1] Or more generally: [^2] There needs to be some rule for what happens if there are conflicts, e.g. a user is member of two different groups which have different values for the same claim. Maybe there should be a priority value attached to the row, and highest priority wins. It's possible also that someone might want to assemble a multi-valued list claim as a list. The most likely use case I can see for that is updating or replacing the "group" claim itself - e.g. if a user is a member of group "some-long-uid" from Azure Active Directory, then make them a member of group "admins" for a particular client application. |
|
FYI, the proposed middleware implementation in PR #1841 extends the connector.Identity object with |
|
Azure AD can emit a |
Dex currently has support for some particular set of claims, and that choice is reflected in various rigid data structures and e.g. the queries that make up the persistence backends (see
storage/sql/crud.gofor example). Each time a new claim is to be supported by Dex, the Dex maintainers must touch many files and many data structures. This is tedious work that could be obviated by a design change where an arbitrary set of claims can be plumbed through the system, and the storage backends would be changed such that they have no prior, hard coded knowledge about some set of predefined claims. There are a number of issues that are currently open proposing changes to the supported claims, and each would be easier to implement under this proposed design change:In addition to easing the development burden for the Dex maintainers, this would have the added benefit of making it trivial to allow third party connector developers to specify additional claims of their own choosing.
This is something I could contribute, if this would be a welcome change.
The text was updated successfully, but these errors were encountered: