Make sure downstream `sub` claim is globally unique even for multi-tenant LDAP servers

vmware-tanzu / pinniped

Pinniped is the easy, secure way to log in to your Kubernetes clusters.

https://pinniped.dev

Apache License 2.0

565 stars 66 forks source link

Make sure downstream `sub` claim is globally unique even for multi-tenant LDAP servers #629

Closed mattmoyer closed 3 years ago

mattmoyer commented 3 years ago

I noticed this is somewhat weird for Jumpcloud, since all users have the same ldaps://ldap.jumpcloud.com/?sub=XYZ-style URL, and any sub collisions would be the same across different search bases. Maybe we should encode the search base somehow?

Originally posted by @mattmoyer in https://github.com/vmware-tanzu/pinniped/pull/620#r636518757

cfryanr commented 3 years ago

We could consider using RFC2255 to put enough data into the URL to make it unique. Note that RFC2255 already defines the sub query to mean subtree search, although maybe we could just ignore that little detail. :)