ijansky
commented
2 years ago Tested with Keycloak and Azure AD (6 groups) and groups were loaded from the groups claim in both cases.
Closed ijansky closed 2 years ago
ijansky
commented
2 years ago Tested with Keycloak and Azure AD (6 groups) and groups were loaded from the groups claim in both cases.
ijansky
commented
2 years ago @alesstimec please see the latest commit which adds an IDP specific groups claim handler to OpenID Connect, with Azure and ADFS IDPs using the Microsoft Graph API.
Description
The OpenID Connect connector currently does not implement the
GetGroupsmethod. Since OIDC is used by ADFS, Azure, Google, and Keycloak IPDs, these IDPs currently do not support group based access. This PR attempts to address this.Addresses CSS-1618
Engineering checklist
Check only items that apply
Test instructions
Set up an ADFS/Azure/Google/Keycloak IDP with user groups and verify that group membership defined in the IDP is correctly propagated to and handled by Candid.
Notes for code reviewers
It may be necessary to handle a case when the IDP sends a response with a URL to fetch groups in another call, instead of a list of all groups. See the Groups overage claim section for details.
It also needs to be determined, whether the "register" flow needs to be altered to support groups.