Restricting Acces by scope (or role)

[akloster]

I am using sentry-auth-oidc with Keycloak, and it works. Problem now is that I can't figure out an easy way to prevent some users from logging into sentry. The closest I came with an easy solution is to disable the "open membership" setting. There are some other options which involve implementing custom authenticator plugins in Java.

The Keycloak maintainers are of the opinion that you shouldn't be able to restrict users from logging in with a certain client, rather they should have restricted scopes or limited roles. That means the relying application has to enforce restrictions on either role or scope (or whatever you map into the tokens). Unfortunately, the OAuth2 implementation in Sentry and sentry-auth-oidc doesn't enforce the requested scope or a role.

I could try to implement it and make a pull request. I'm asking here first because I may be on the wrong track.

[bufferoverflow]

@akloster sorry for the late reply, I agree that such a functionality should be possible at application level. Maybe check latest improvements at https://github.com/getsentry/sentry/tree/master/src/sentry/auth/providers/google which would be an oidc auth provider.

@max-wittig WDYT?

[max-wittig]

The only thing you can do and that's what we're doing and what you mentioned before is disabling open membership and disabling all permissions from members. It's a hack as people can still add themselves as members but I don't think that we can solve this using sentry-auth-oidc.