leonfibal
commented
1 week ago Hello,
this is a serious blocker for us. Are there any plans for implementing this?
I add a link to the line where problem begins: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/b8833ceee3c7ea49dfac0a18a4050508ebdee605/path_login.go#L175-L179
tokenSource is nil and the result of login attempt is:
* failed to fetch groups: "groups" claim not found in token: token unavailable to call Microsoft Graph API
Description
I propose adding an
access_tokenas an optional parameter to the/auth/jwt/loginendpoint repository. This feature aims to enable Vault to use the provided access token to fetch a user's groups from Azure AD, specifically in cases where users are members of more than 200 groups.Context
Currently, when using the JWT login method with Azure AD, users who are part of a large number of groups encounter limitations. The JWT login method supports only the ID token parameter and lacks the functionality to fetch groups using its own client ID and secret. This limitation becomes evident in scenarios where users are members of more than 200 groups, as the ID token includes claims indicating the groups are available via a separate endpoint.
Proposed Solution
access_tokenparameter in the/auth/jwt/loginendpoint.Security Considerations
Contribution
I am willing to contribute to the coding and implementation of this feature. Before starting, I am seeking feedback on the security implications and the overall feasibility of this approach from the community and maintainers.
Request for Feedback
I would greatly appreciate any insights, concerns, or suggestions regarding this proposed feature, especially concerning security implications and best practices in the context of Vault and OAuth 2.0/OIDC standards.