Add skeleton of IDP interface for resolving friendly names #2391
Conversation
| // Provider is the identity provider that vended this identity. Note that | ||
| // UserID and HumanName are only unique within the context of a single | ||
| // identity provider. | ||
| Provider IdentityProvider |
There was a problem hiding this comment.
Do we want to add email to this? For some IdPs we wouldn't quite have a preferred user name and the email would be more relevant.
There was a problem hiding this comment.
I think email is the preferred username (HumanName) for some providers. For others (e.g. GitHub Actions) users may not have email addresses.
There was a problem hiding this comment.
Makes sense, I think that's fine
|
|
||
| // IdentityProvider provides an abstract interface for looking up identities | ||
| // in a remote identity provider. | ||
| type IdentityProvider interface { |
There was a problem hiding this comment.
is IdentityProvider assumed to be OIDC-compatible? if so, let's mark that in the docs.
There was a problem hiding this comment.
I'm not sure that we want to require it. I imagined this as being decoupled from specific identity provider implementations, so we'd still need something like OIDC (or x.509 client certs) to assert the user's identity. Once we have their identity, we can then go through this interface to map it to/from database representation.
There was a problem hiding this comment.
Looking at zitadel.RelyingParty, that interface looks a lot bigger (and more OIDC-specific) than what I was looking for here, but I could be convinced to expand to include that if we find it generally useful; it looks like it covers a lot more OIDC functionality. (The URL method is admittedly a bit OIDC-specific at the moment.)
|
|
||
| // IdentityProvider provides an abstract interface for looking up identities | ||
| // in a remote identity provider. | ||
| type IdentityProvider interface { |
There was a problem hiding this comment.
Looking at zitadel.RelyingParty, that interface looks a lot bigger (and more OIDC-specific) than what I was looking for here, but I could be convinced to expand to include that if we find it generally useful; it looks like it covers a lot more OIDC functionality. (The URL method is admittedly a bit OIDC-specific at the moment.)
|
This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days. |
evankanderson
force-pushed
the
idp-interface
branch
from
f41c3b1
to
b691248
Compare
|
This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days. |
|
We did this in #3155 |
See discussion in #2326. The goal here is to enable the following:
minder project role grant -r viewer -u JAORMX(which should look up the "JAORMX"preferred_usernamein Keycloak (populated from GitHub), and then store the (stable) Keycloak ID in the OpenFGA grant. We don't want to storeJAORMX, because he might change his account name later.JAORMXas the username coming back from ListRoleAssignments, so that we can read the output. We can also include the Keycloak userids in the RPC response, but no one will read them. 😁actionsIdentityProvider for GitHub actions which would be distinct from KeyCloak + GitHub users in 2minder project role grant -r editor -u actions/repo:stacklok/minder-rules-and-profiles:ref:refs/heads/main. (Yeah, action names are pretty awesome...)To fit the interface into existing code, we'll need to replace:
ParseAndValidate(4 calls,handlers_token.goand 3xhandlers_user.go)authzClient(default_project.go,handlers_authz.go,handlers_user.go) which will need to use the canonicalIdentity.String()forWrite,Check, andProjectsForUser, andIdentity.Human()forAssignmentsToProject.