tweek icon indicating copy to clipboard operation
tweek copied to clipboard
verified publisher icon Soluto

Obtaining Azure Groups when there are too many to put in JWT

Open lucas-rudd opened this issue 6 years ago • 1 comments

Azure can only return a certain amount of groups in the JWT.

When there are too many groups to return, Azure returns the hasGroups=true attribute. I don't know what the exact threshold is, but this is by design to avoid going over the URL length limit in the browser. According to the comment I've linked, the group limit is 4, which seems awfully low. If that's true, this issue will occur is very many companies if they want to use Azure to manage security groups when interfacing with Tweek.

It would be nice if Tweek supported this in order to obtain group information to so that users can use Azure security groups to manage application level access.

Azure has a Graph API that you can use to inquire about full group membership, or about membership to a particular group.

I'm imagining something like the following would occur if hasGroups: true is returned from Azure instead of group information.

if (hasGroups)
  Call the Graph to inquire:
else
  Access groups directly from the token

The graph API has the following formats

Get all groups a user belongs to: GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Inquire whether the user belongs to a specific group: POST https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version

I imagine this behavior could be optional, to only occur if a value for the graph API is set in the gateway-configmap.yaml, and if hasGroups is true, and no groups array is returned.

Is this something Tweek can/should support? Or, is this something that should be done on the user's end in the OPA defined JWT extraction policy?

lucas-rudd avatar Jan 30 '20 16:01 lucas-rudd

I think OPA is quite limited in that regard. In general, I think this can be solved by implementing a server-flow authentication instead of the implicit flow which will make it works with more auth providers. Adding support of server flow to Tweek can be useful. (probably should be implemented in gateway layer) For completeness, we also need #1066 to be able to consume all groups.

Yshayy avatar Feb 24 '20 23:02 Yshayy