As an administrator , I want apply additional filters to user accounts from an external IdP so that I can limit permitted users. IdP like sso.redhat.com, GitHub, and others have accounts from multiple organizations. IPA admins typically want to limit external accounts to members of a well-defined group, e.g. members of an organization. An additional filter for users would prevent mistakes like typos in External IdP user identifier and attacks like user deletion followed by user account reuse.
External IdP user identifier
RFC 8628 does not specify a way to limit accounts. AFAIK neither GitHub nor KeyCloak have an option to limit accounts per OAuth app (client id). The oidc_client helper could query the User Info URL and match the return value to some rules.
oidc_client
curl -L -X POST \ -H 'content-type: application/x-www-form-urlencoded' \ --data-urlencode 'scope=id.email%20id.name%20id.organization%20id.username' \ --data 'client_id=CLIENT_ID' \ https://sso.stage.redhat.com/auth/realms/redhat-external/protocol/openid-connect/auth/device
Authenticate with URL from verification_uri_complete
verification_uri_complete
curl -X POST\ -H 'content-type: application/x-www-form-urlencoded' \ --data grant_type=urn:ietf:params:oauth:grant-type:device_code \ --data 'device_code=DEVICE_CODE' \ --data 'client_id=CLIENT_ID' \ https://sso.stage.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
curl -H 'Authorization: Bearer ACCESS_TOKEN' https://sso.stage.redhat.com/auth/realms/redhat-external/protocol/openid-connect/userinfo { "sub": "1234", "email_verified": true, "organization": { "account_number": "3456", "id": "16789" }, "name": "First Last", "preferred_username": "cheimes-stage", "given_name": "First", "family_name": "Last", "email": "cheimes@redhat.com" }
In this example I would like to limit access to accounts with ["organization"]["id"] == "16789"
["organization"]["id"] == "16789"
Login to comment on this ticket.