Closed datakurre closed 1 year ago
I would at least add an option to set which property should be checked to get the groups as it is done in #16 for user information.
See #20
Changes Missing Coverage | Covered Lines | Changed/Added Lines | % | ||
---|---|---|---|---|---|
src/pas/plugins/oidc/plugins.py | 4 | 24 | 16.67% | ||
<!-- | Total: | 4 | 24 | 16.67% | --> |
Totals | |
---|---|
Change from base Build 4282097293: | -2.5% |
Covered Lines: | 229 |
Relevant Lines: | 408 |
I have rebased this, to have at least the tests green :)
@mauritsvanrees @mamico what do you think about this?
I am not sure if this should be implemented like this or like another plugin, we can discuss it...
@mauritsvanrees @mamico what do you think about this?
I am not sure if this should be implemented like this or like another plugin, we can discuss it...
@erral I like the idea of managing groups with the OIDC claim, but currently I don't have a real use case to compare it to. The only thought I would have is whether it's better to use a property of the groups or a naming convention to distinguish OIDC-managed groups from others.
@mauritsvanrees @mamico what do you think about this? I am not sure if this should be implemented like this or like another plugin, we can discuss it...
@erral I like the idea of managing groups with the OIDC claim, but currently I don't have a real use case to compare it to. The only thought I would have is whether it's better to use a property of the groups or a naming convention to distinguish OIDC-managed groups from others.
Yeah, I didn't even know that it was possible to add properties to groups :smile:
I have a usecase, the one explained in the blog post where we can use a user property coming from Google (in this case the property is hd
) to identify users and create a group with them.
We also though whether we should prefix the group names to separate provisioned groups from local groups, but eventually I chose to use property to avoid confusion caused by the prefix and naming decision for the prefix.
We'd like to implement provisioning of groups directly from id token / user info, if it includes list of group ids:
This is opinionated approach, so I'd request for comments, before polishing with requested changes, changelog and tests.
For example, should there be more granular configuration? Separate toggles for group creation and membership management? Customizable user info attribute for groups list? Customizable group property used in tagging? Something else?