This should make AllowedGroups equivalent to an LDAP group filter:
When set to true, only the groups from AllowedGroups will be included in the
user's identity.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
* Add atlassiancrowd connector to list in readme
* Add TestIdentityFromCrowdUser
* Set preferred_username claim when configured
* Add preferredUsernameField option to docs
* Log warning when mapping invalid crowd field
In 58093dbb2 the kubernetes documentation was updated to refer to CRDs
rather than TPRs when discussing how storage works for dex. However, the
rest of the line was not updated and still referred to the TPR section,
whose anchor link was changed in 395febf80 with the removal of TPR
support. This change updates the kubernetes documentation to point to
the currect section of the storage documentation for CRDs.
Add an ability to fetch user's membership from
groups of a different type by specifying multiple
group attribute to user attribute value matchers
in the Dex config:
userMatchers:
- userAttr: uid
groupAttr: memberUid
- userAttr: DN
groupAttr: member
In other words the user's groups can be fetched now from
ldap structure similar to the following:
dn: cn=john,ou=People,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
sn: doe
cn: john
uid: johndoe
mail: johndoe@example.com
userpassword: bar
dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
objectClass: groupOfNames
cn: qa
member: cn=john,ou=People,dc=example,dc=org
dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1000
cn: logger
memberUid: johndoe
Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
There's been some discussion in #1065 regarding what to do about
refreshing groups. As it stands today dex doesn't update any of the
claims on refresh (groups would just be another one). The main concern
with enabling it is that group claims may change more frequently. While
we continue to wait on the upstream refresh flows, this adds an option
to enable the group claim. This is disabled by default (so no behavioral
change) but enables those that are willing to have the delay in group
claim change to use oidc IDPs.
Workaround to #1065
Third Party Resources (TPR) have been removed from Kubernetes for
roughly 2 years. This commit removes the support dex had for them.
Documentation has been updated to reflect this and to instruct users
on how to migrate from TPR-powered dex environment to a Custom Resource
Defintion (CRD) based one that dex > v2.17 will support
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.