search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.84k stars 287 forks source link

AzureAD/OIDC to support more than AD 200 groups #1378

Open robrankin opened 3 years ago

robrankin commented 3 years ago

Describe the bug Azure AD/OIDC with more than 200 group claims. For users with more than 200 groups, Azure provides a distributed group claim rather than including the group claims in the token.

After configuring Managed Groups, some of our users are not being assigned to the group, apparently because their token doesnt include the group claims directly.

Users with fewer than 200 groups, where their group claims are directly populated in the token, work correctly and are assigned membership in the Managed Group.

Appears to be identical to this Vault issue:

https://github.com/hashicorp/vault-plugin-auth-jwt/issues/74

Expected behavior Boundary will fetch distributed group claims and use those for determining Managed Group memberships.

Additional context Opening as an issue just for visibility really, as it appears to be identical to the Vault issue.

jefferai commented 3 years ago

Yes, this is a known limitation with the implementation right now. Eventually we'll add in the support from Vault to the shared library that both products are using (Boundary initially, Vault to eventually rebase on top of).