On Mon, 26 Sept 2022 at 22:11, larry mccay <[email protected]> wrote: > Therefore, we only assert the authenticated user name in the JWT as well. > The service consuming the JWT is obligated to determine the groups that are > relevant for that user principal within the operating environment. > Note that these may be completely different groups than those available from > the original IDP.
My perspective is that of an enterprise application in Azure AD which together with an app registration provides various application-specific authentication services such as OIDC. In this setup, you can map a principal (either directly or via group memberships) to app roles and these roles are available in the authentication payload. This is preferable to looking up groups for three reasons: 1. The application does not need permission to read the user catalog 2. We're not exposing irrelevant group memberships to the application 3. In the mapping of relevant groups to app roles, we have the option of implementing a custom naming scheme Now, it's also possible to also have group memberships appear in this payload (there are some rather strict limitations to the number of groups here), but typically a user is a member of groups which are not relevant or meaningful in the context of a particular application which is why app roles are usually preferred. Another reason is that in for example Azure AD, group memberships appear in the form of opaque ids (UUIDs) which need a translation step into group names via a separate external call to Azure AD. Now, for KnoxSSO I understand that there's a bit of a dilemma here, because what exactly is the application in this situation – there can be multiple applications. We are contemplating putting KnoxSSO in front of a single application and wanted to make use of app roles in order to be able to authorize a particular identity based on which roles the user has. That is, we would benefit from having not just the identity but also these app roles appear in the JWT. In fact, it might be left up to the user of KnoxSSO if one was able to simply provide a set of fields to extract from the authentication payload and make available in the JWT. Cheers
