groups: add a concept of a directory of users

[philips]

Teams are a fairly essential part of an identity service. Unfortunately, OIDC doesn't have a spec for that. The basic operations are:

• Create Group
• Delete Group
• Add User to Group
• List Users in Group

The two obvious APIs to copy from are either Google or GitHub's.

GitHub teams: https://developer.github.com/v3/orgs/teams/#list-teams Google Directory Groups: https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups

The motivation for groups is to give very coarse grained ACLs to a set of identities. For example I want to restrict a service inside of my cluster to a particular team by providing config to oauth2_proxy: https://github.com/bitly/oauth2_proxy#restrict-auth-to-specific-google-groups-on-your-domain-optional

[stepanstipl]

+1

[philips]

Here is an initial design doc: https://docs.google.com/document/d/1OCKW-8rBCngBFWMMrSGokKqWt-a8lg3WvfrejcETBMA/edit#heading=h.9kkruegwavaf

[rsoletob]

Hello, we are interested in this topic. We have an administration tool for managing users and groups but it doesn't scale well, and we want to adopt an open-source project. We've seen that you're planning to test Cayley + SCIM, according to the Google docs proposal, but we don't know if you have already made some progress on this. Any news on this? Maybe you can share with us a roadmap?

If the solution suits well with our project, we are keen on helping you with this feature.

ping @adrianlop, @miguelcubillo, @gerson24

[ericchiang]

@rsoletob our roadmap is here. Once we've addressed refresh tokens we'll start taking a serious look into groups.

We'll make sure to update this issue with progress. If you have any comments or concerns, we'd love additional input.

[fnordahl]

Connectors should probably also optionally support groups/authorization and be allowed to be a source of this information for dex in some way? The LDAP connector ( #178 ) could be a candidate for this.

[ericchiang]

@fnordahl Just like a local vs remote connector, I think we'll attempt to build some interface for a remote group source. And yes, since LDAP already has these concepts it would be a likely candidate.

[ericchiang]

Dex does not have a native groups implementation, but can pull groups from upstream IDPs. I think this is fine for now.

[mvbn6789]

so dex will not support multi tenant ?