Open dkulchinsky opened 4 years ago
@dkulchinsky
I think your requirement is some allowlist
for filtering the ID token, such that only users meet the criteria can be onboarded and use Harbor? Is that correct?
But I'm not sure if hg
a widely used claim?
Hi @reasonerjt, thanks for for getting back to me :)
An allowlist would work as well, I guess filtering against a domain name of the user's email.
We've been using hd
-> hostedDomain
claim primarily with Google OAuth2 (https://developers.google.com/identity/protocols/oauth2/openid-connect) via Dex, and this is the only mechanism that they provide to allow domain validation, perhaps it is not as common with other services.
I would like to see this as well. It could also be a group like the "OIDC Admin Group", but have an "OIDC allowed user group".
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
Is your feature request related to a problem? Please describe. When using the OIDC authentication mode, I would like to specify the domain name to be validated for the user performing the login.
Describe the solution you'd like When configuring an OIDC provider, add an optional hosted domain field where the administrator can specify the allowed domain for the users to login from, this is an important feature for deployments scenarios where strict access compliance is required. Current mitigation is to use Dex as an intermediary IDP which supports hostDomain setting and validation.
Describe the main design/architecture of your solution Specifying the
hostedDomain
attribute in the OIDC flow has two benefits:hd
claim in the returned id_token from the IDP, we ensure that we are restricting login only to users from the specified domain (so, better security/compliance).Describe the development plan you've considered I'm not sure how to answer that, but the details above should provide enough information and Dex can be used as a reference for implementation.
Additional context N/A