Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tenant-scoped sessions #92

Merged
merged 41 commits into from
Dec 1, 2022
Merged

Tenant-scoped sessions #92

merged 41 commits into from
Dec 1, 2022

Conversation

byewokko
Copy link
Collaborator

@byewokko byewokko commented Oct 5, 2022
edited
Loading

Tenants in scope

OIDC authorize scope parameter now takes a list of requested tenants that should be accessible from the client session, e.g.

scope=openid tenant:my-tenant tenant:another-tenant

Encoded

GET /openidconnect/authorize?...&scope=openid%20tenant%3Amy-tenant%20tenant%3Aanother-tenant

Specifying tenant:* in scope requests authorization for all the user's tenants.

Specifying tenant in scope requests authorization for the user's last accessed tenant.

Not including any tenants in the scope results in a session that has only access to global resources.

Userinfo scope

In order to reduce the size of user info and ID token, only the essential details are included in userinfo response by default. Additional details must be requested in scope:

  • userinfo:username includes username
  • userinfo:email includes email address
  • userinfo:phone includes phone number
  • userinfo:data includes custom credential data
  • userinfo:authn includes info about login factors and descriptors
  • userinfo:* includes all of the fields above

Changes

  • BREAKING Tenant-aware sessions require specifying tenant in authorization scope.
  • Successful and failed authorize attempts are recorded in the audit.
  • System resource authz:tenant:access allows the user to enter any tenant with their global resources (solves Resource for access to all tenants #83).
  • Userinfo field preferred_username renamed to username. The original field is preserved for backward compatibility.
  • Userinfo field phone_number renamed to phone. The original field is preserved for backward compatibility.

@byewokko byewokko self-assigned this Oct 5, 2022
byewokko
byewokko commented Oct 5, 2022
View reviewed changes
seacatauth/authn/service.py Outdated Show resolved Hide resolved
@byewokko byewokko marked this pull request as draft October 5, 2022 16:02
@byewokko byewokko changed the title Single-tenant-scoped sessions Tenant-scoped sessions Oct 6, 2022
@byewokko
Copy link
Collaborator Author

byewokko commented Oct 6, 2022

Further questions:

  • Root session now does not include any tenant. OK?

@Pe5h4 Pe5h4 mentioned this pull request Oct 6, 2022
Merged
@byewokko byewokko mentioned this pull request Oct 13, 2022
Closed
@byewokko byewokko marked this pull request as ready for review November 28, 2022 13:51
@byewokko byewokko requested a review from ateska November 29, 2022 09:03
@byewokko byewokko merged commit f533a7a into main Dec 1, 2022
@byewokko byewokko deleted the feature/tenant-sessions branch December 1, 2022 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ateska ateska ateska approved these changes

Assignees

@byewokko byewokko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@byewokko @ateska