Closed dastrobu closed 3 years ago
openshift-bot
commented
4 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
dastrobu
commented
4 years ago /remove-lifecycle stale
openshift-bot
commented
3 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
dastrobu
commented
3 years ago /remove-lifecycle stale
stlaz
commented
3 years ago The oauth-proxy has no knowledge of which roles the user is bound to and therefore it won't be able to pass them on. It does not even know about the user's groups.
dastrobu
commented
3 years ago ok I see, took a look into this.
The SubjectAccessReview does not provide any roles. Certainly the OAuthProxy could query the RoleBindings to pass that on, but I agree that this might be out of scope and the upstream app (or another proxy in the middle) could do that.
I want to secure an application behind the oath-proxy. Securing one end-point based on a single role can easily be done. The application itself, however should be able to check the role of the user and allow usage of some endpoints and methods based on the actual roles of the user.
To that end, it would help if the actual roles of the user could be passed as an additional header.