search

dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
https://dexidp.io
Apache License 2.0
9.5k stars 1.71k forks source link

GitHub connector should return parent teams #2678

Open lancehudson opened 2 years ago

lancehudson commented 2 years ago

Preflight Checklist

Problem Description

The GitHub connector returns the teams a user is directly a member of. GitHub teams can have parents, and they inherit the permissions from their parent team.

Proposed Solution

The GitHub connector should return the parent teams (recursively) for all of a user's team memberships and direct memberships.

Alternatives Considered

Additional Information

GitHub API /user/team/ only returns the direct memberships (and the parent's name), and we would need to look up the parent's parent recursively.

This change would make consistent permissions in GitHub and downstream apps. My org uses GitHub auth because of how closely tied together GitHub permissions and the permissions of the apps we have tied to GitHub via dex. Not being able to use team inheritance significantly impacts the management and organization of our permissions.

koendelaat commented 11 months ago

Also surprised by the lack of parent teams in the group claim