Use object ID for the logical name #34
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
jasonodonnell
approved these changes
Feb 17, 2022
jasonodonnell
pushed a commit
that referenced
this pull request
Feb 17, 2022
jasonodonnell
added a commit
that referenced
this pull request
Feb 17, 2022
* Allow for system & user-assigned identity auth & misc (#50) - Update to go1.17.6 - Rev dependencies - Use 2021-11-01 compute client sdk - Remove unused params & address other codestyle issues Fix #35 * Use object ID for the logical name (#34) Co-authored-by: Jonas-Taha El Sesiy <[email protected]> Co-authored-by: cccs-ob <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
The change affects the user name created by the Azure AD authentication plugin.
The proposal is to use OAuth “oid” claim instead of the “sub” claim to specify Vault’s user name.
Why
The plugin uses “sub” claim in the OAuth token to formulate Vault user name. The “sub” can not be traced back to Azure user using public methods.
The Vault user name can be later used to create accounts. For instance, MSSQL plugin uses the name as a part of the generated database login. Using “sub” means that there is no way to track back database user to the Azure AD user which can be required for audit.
Design of Change
Use “oid” claim from Azure OAuth token. The “oid” is the unique account identifier which is accessible from Azure AD portal.
Effects on Existing Users
The change is backward compatible. For a consumer who is not interested in tracing back user names, this looks like one random string used instead of another random string, requiring no change.
A consumer requiring audit capabilities will be able to use OID to trace back Vault user to Azure user.
References
Not possible to identify the user from "sub":
https://stackoverflow.com/questions/32510679/getting-users-token-subject-identifier-sub-from-within-azure-ad
https://stackoverflow.com/questions/59642980/how-to-get-user-oid-from-sub-and-application-in-azure-ad
Microsoft's descriptions of token claims from https://jwt.ms/:
"sub"
"The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. The subject is a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be desired depending on your architecture and privacy requirements."
"oid"
"The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the oid claim. The Microsoft Graph will return this ID as the id property for a given user account. Because the oid allows multiple apps to correlate users, the profile scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials."