Open chainlink opened 4 years ago
karol-szymanowski
commented
4 years ago I don't think this is possible with only dex ... Dex only provides user's identities, and the authorization process depends on your services. So your service need to support OIDC (e.g. Grafana can do this) or use third-party software that allows to put users on the whitelist (e.g. oauth2_proxy). RBAC is up to the service as well.
It's explained in this talk https://www.youtube.com/watch?v=yaJnT6DNHHc
sagikazarmark
commented
2 years ago This is somewhat of a grey area and there are examples of group based authorization in Dex already (eg. github/gitlab connectors can deny entry based on allow/deny lists).
The problem with OIDC is that an IdP might not be split into realms. In case of a large enterprise for example, this could mean that every single user in the company directory can login to your application and it's up to the application to deny entry for users. Unfortunately, applications rarely do that though, even if they have an authorization, they don't deny entry.
I think this would be a nice feature. Some connectors can already do that, but sadly only on the connector level. You can't do access control for separate clients.
Hi there, I'd like to use Dex as a central auth mechanism but am wondering how you could gate access to backend services based on emails/groups. ie certain users/groups should have access to a subset of backend services. Is this possible with Dex?