Feature Request: Client can request to only recieve specified groups, if present

indigo-iam / iam

INDIGO Identity and Access Management Service

https://indigo-iam.github.io/

Other

99 stars 43 forks source link

Feature Request: Client can request to only recieve specified groups, if present #690

Open norealroots opened 5 months ago

norealroots commented 5 months ago

When operating IAM, it is possible for the groups field for prolific users to become extremely large, thereby increasing the size of the token object.

Would it be possible for a client to request, via a specified scope, to only receive the groups it cares about rather than the full list? Conceptually, this would operate like:

Client requests a token to authenticate user X. In this request, the client ask for group example/example/test.
The returned token contains one of two options:
1. if the user belongs to example/example/test, this is included within the token
2. if the users does not belong to example/example/test, an empty groups claim is returned.

Ideally the client could be able to request multiple groups, and receive the ones the user belongs to.

Is this something which seems feasibly?

giacomini commented 5 months ago

There is already discussion along these lines in the context of the WLCG JWT profile (see e.g. https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/46). Ignoring for a moment the technical feasibility, I personally have some reservations about going in this direction, because it departs from the consolidated model we have used in the past decades, whereby you get all the groups. Note, for example, that a resource would not be able to deny access based on group membership. Are you worried just about the token size or are there more profound reasons?

norealroots commented 5 months ago

I hadn't considered the context of denying based on membership - but would that not be implementable by just asking if that group is present also? The token size was the concern that flagged this, but there was also the comments about user privacy that came up following. At the moment, tokens contain all the group information about a user which could conceptually be used to represent affiliations etc, which is not always need-to-know information?

robbarnsley commented 5 months ago

I'm not sure I understand the issue around denying access, do you have a specific example @giacomini?

Is a compromise possible? That is, the ability to set groups as "always returned" / "only returned on request".

giacomini commented 5 months ago

I'm not sure I understand the issue around denying access, do you have a specific example @giacomini?

People belonging to a certain country (something that unfortunately has happened).

Is a compromise possible? That is, the ability to set groups as "always returned" / "only returned on request".

The WLCG JWT profile already foresees default and optional groups, with exactly this meaning, which IAM supports.