-
New Feature
-
Resolution: Fixed
-
Neutral
-
3.0.0
-
None
-
None
-
-
Empty show more show less
-
Yes
-
AdminX 30
-
8
Goal
SSO 3.0.0 lacks a feature/interface to define a class to resolve groups.
Example: for Azure, we receive group IDs instead of group names. We need to resolve these group IDs to names, but that currently is not possible - We would need group resolution there to resolve a group name with group ID from Azure.
Thoughts for discovery
- One possible option is to include Custom authorization generator leveraging SPI (Service provider interface) - this needs further discovery.
- Another option might be providing out-of-the-box generators which might be configurable, so that less custom code to resolve groups is needed
- Azure offers 3 ways on implementing mapping group IDs to group names, it might be possible to check if there are common patterns which might be implemented
Notes
- Meeting discussed in: https://www.notion.so/magnoliacms/SSO-3-0-0-incubator-module-grooming-e4ddd3534c3042a98b1597cb919a7bc0
- Might be related to https://jira.magnolia-cms.com/browse/MGNLSSO-61, as Azure group / ids resolution is discussed there
Discovery output
- As discussed with mgeljic, we agreed to go with the Custom authorization generator leveraging SPI (Service provider interface). This approach will open the possibility for customization.
- With that, we have to introduce a Service provider interface to allow customers implement their own authorization generator in a custom module (jar file)
- Specify a new predefined key, for example "customAuthorization" in the "oidc.authorizationGenerators" config property, then it will lookup for the custom authorization generator from the SPI, something like this in the yaml configuration:
clients:
oidc.id: ...
oidc.secret: ...
oidc.scope: ...
oidc.discoveryUri: http://localhost:8180/realms/mgnl/.well-known/openid-configuration
oidc.preferredJwsAlgorithm: RS256
oidc.authorizationGenerators: customAuthorization
Notes: Re: the second option "providing out-of-the-box generators which might be configurable", this may not cover all cases from the customers requirement, especially Azure AD provided different ways to configure the groups/authorization. So, we can't know which is the most common configuration pattern to create the OOTB generators for the IDPs (Azure, Okta, Keycloak)
- relates to
-
MGNLSSO-61 Leverage Azure-specific APIs for a better experience?
- Open