search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.37k stars 932 forks source link

Auth: Remove OIDC identities #13149

Closed edlerd closed 2 weeks ago

edlerd commented 7 months ago

Required information

Issue description

On log-in of OIDC users, an entry in the identities table gets created. Currently, there is no way to remove those entries. This might be problematic if the user in the external identity provider was removed and an administrator wants to clean up the entries in LXD.

Suggestion is to add an endpoint that allows to remove OIDC identities.

Steps to reproduce

  1. Configure LXD with OIDC
  2. Login to the UI with an OIDC user foo@bar.com
  3. Remove foo@bar.com from LXDs identities
mseralessandri commented 6 months ago

We can consider the SCIM protocol (https://scim.cloud/) to align identities with the IdP

markylaing commented 6 months ago

There are number of options for removing OIDC identities:

  1. Add a task to clean up OIDC identities that have not been seen for a configurable period and are not members of a LXD group.
  2. Add an endpoint so that an administrator can remove them manually. If they are still present at the IdP level this will have the effect of revoking all LXD group membership, but it will not have any effect if permissions are configured using IdP group mappings.
  3. Use SCIM as suggested by @mseralessandri. We should be careful to add a backup for this as it may not be supported by all IdPs.