Feature Request / Proposal: Implement TeamWhiteList functionality for generic OIDC provider #589
Description
Proposal
We have an internal OIDC provider that is able to send all groups of a user as a parameter in UserInfo. Vouch-Proxy should be able to check if the user is a member of a specific group and allow or deny access based on membership.
New fields added to configuration
TeamWhiteListClaim in oauthConfig. This is the parameter of UserInfo that contains an array of strings.
New behavior
If TeamWhiteList and TeamWhiteListClaim are set and the configured provider is oidc, vouch-proxy adds all intersecting teams to the users TeamMemberships attribute. It then uses the existing TeamMemberships logic to allow or deny access.
Use Case
I want to allow access to my service based on group membership instead of configuring individual users in my vouch-proxy config file.
I can't modify the application and still prefer to use Nginx as a webserver. I could implement it using NJS, but I don't want to add more complexity to the Nginx configuration.
Additional context
I implemented this feature based on the GitHub TeamWhiteList feature here: https://github.com/vouch/vouch-proxy/compare/master...maederm:vouch-proxy:oidc-teamwhitelist-support?expand=1
I'd open a pull request if this proposal gets accepted and I can also add tests if needed.
Limitations
- Scope that contains the claim referred in
TeamWhiteListClaimneeds to be added toscopeskey. This will likely increase the size of the JWT and headers. - This proposal only enhances the oidc provider. It doesn't implement a generic RBAC feature.
- I used the
Teamterminology to share the names with the GitHub feature and not having to re-implement team matching logic. - The OIDC provider must deliver the Claim in the expected format (array of strings)