goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.04k stars 4.75k forks source link

[feature request] add hostedDomain (hd) validation in OIDC auth mode #13004

Open dkulchinsky opened 4 years ago

dkulchinsky commented 4 years ago

Is your feature request related to a problem? Please describe. When using the OIDC authentication mode, I would like to specify the domain name to be validated for the user performing the login.

Describe the solution you'd like When configuring an OIDC provider, add an optional hosted domain field where the administrator can specify the allowed domain for the users to login from, this is an important feature for deployments scenarios where strict access compliance is required. Current mitigation is to use Dex as an intermediary IDP which supports hostDomain setting and validation.

Describe the main design/architecture of your solution Specifying the hostedDomain attribute in the OIDC flow has two benefits:

  1. it limits the possible login selection on the upstream IDP to the ones that match the specified domain and avoids user selecting the wrong one (so, better UX).
  2. by performing validation of the hd claim in the returned id_token from the IDP, we ensure that we are restricting login only to users from the specified domain (so, better security/compliance).

Describe the development plan you've considered I'm not sure how to answer that, but the details above should provide enough information and Dex can be used as a reference for implementation.

Additional context N/A

reasonerjt commented 4 years ago

@dkulchinsky

I think your requirement is some allowlist for filtering the ID token, such that only users meet the criteria can be onboarded and use Harbor? Is that correct?

But I'm not sure if hg a widely used claim?

dkulchinsky commented 4 years ago

Hi @reasonerjt, thanks for for getting back to me :)

An allowlist would work as well, I guess filtering against a domain name of the user's email.

We've been using hd -> hostedDomain claim primarily with Google OAuth2 (https://developers.google.com/identity/protocols/oauth2/openid-connect) via Dex, and this is the only mechanism that they provide to allow domain validation, perhaps it is not as common with other services.

jschutte27 commented 3 years ago

I would like to see this as well. It could also be a group like the "OIDC Admin Group", but have an "OIDC allowed user group".

github-actions[bot] commented 2 years ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.