LDAP: add claims based on groups

[philips]

It would be nice to put a groups claim into the users identity. The most obvious place to start would be letting someone who is using an LDAP server with an RFC2307(bis) schema to be able to take their posixGroups list and put it into a claim as a JSON list.

cc @fnordahl

[sym3tri]

Would it make sense to allow configurable filters to whitelist/blacklist which groups are embedded?

Something that came up recently in an LDAP discussion was that a lot of the LDAP groups are just noise in some contexts, and aren't always desirable to make available to other systems.

[fnordahl]

@philips RFC2307 and RFC2307(bis) is indeed the way to go. I have experience with the old school way of RFC2307 but also have access to RFC2307(bis) based directories.

@sym3tri filtering should be easy to add.

Now, what infrastructure do I have available in dex to add claims to the JWT at the Identity-step? The returned oidc.Identity type contains very little information.

[akshaybahetii]

There are a couple of problems when adding LDAP groups as a claim in the token.

1. The number of groups a user belongs to for some organizations is huge. In this case the token size increases making it had to transport and store(Ex as a Cookie in the browser). @sym3tri Filtering can be a solution here. But again it restricts how groups can be used by authz/policy.(And also how will the token be updated when the filter is changed?)
2. When group memberships change for a user in LDAP. How will they propagate to a token.
   a. Will they be updated when a refresh token is used ?
   b. Will the user have to login again and get a new token ?

[ericchiang]

1. The number of groups a user belongs to for some organizations is huge. In this case the token size increases making it had to transport and store(Ex as a Cookie in the browser). @sym3tri Filtering can be a solution here. But again it restricts how groups can be used by authz/policy.(And also how will the token be updated when the filter is changed?)

This has been brought up a few times internally. While a really big token is ugly, users should be working with these programmatically.

For transports that are sensitive to things this size, if the JWT holds information you don't need don't use it in those contexts. e.g. for a cookie, verify the JWT from dex, pull out the relevant groups and sign a smaller JWT yourself (or do caching, or store it, etc.).

If we don't expect global filters to be enough, perhaps we could add scopes to allow the client to filter groups as well?

1. When group memberships change for a user in LDAP. How will they propagate to a token.
   a. Will they be updated when a refresh token is used ?
   b. Will the user have to login again and get a new token ?

Good point, the groups should update when a refresh token is redeemed. This would probably only work with an LDAP connector that's using a service account.