microsoft: add useOnPremSamAccountName to get preferred_username #1623
Conversation
Add new option `useOnPremSamAccountName` to the microsoft connector,
which will request `onPremisesSamAccountName` from microsoft graph
and populate that value as `preferred_username`:
After enabling `useOnPremSamAccountName`:
connectors:
- type: microsoft
id: microsoft
name: Microsoft
config:
clientID: $MICROSOFT_APPLICATION_ID
clientSecret: $MICROSOFT_CLIENT_SECRET
redirectURI: https://dex/dex/callback
tenant: 1f163eff-f722-47fb-9562-20d74025a9f2
useOnPremSamAccountName: true
"sub": "khulsdfkhjsd",
"preferred_username": "j.doe",
Fixes dexidp#1618
|
@sagikazarmark Is there anything we can help with to move forward here? |
|
@sagikazarmark @bonifaido hi, I noticed this comment
is this why this PR is blocked? I absolutely agree with this I think more per-connector features could be general and some could be per client (like required groups). For this feature, do you have something like this in mind? A more dynamic remapping for all kinds of data to claims? I think possibly
could be used, but I have not looked into this at all. On the downside, this would also increase the attack surface and make it easier to make mistakes... |
|
@chlunde that comment was rather meant for changes that duplicates logic between connectors. I guess this one will always will be Microsoft specific. TBH I'm not that familiar with it: does Microsoft ever return a |
|
@sagikazarmark I guess it depends on the user requirements - what field is the preferred_username? E-mail? "AD user"/on prem sam account name? Just a unique ID? Which is why I wonder if it would be better if connector implementations expose all fields/claims they have, without much configuration, and then you can have a generic implementation of mapping claims/fields (like email -> preferred_username, etc.), and filtering based on groups, not bound to each connector. |
|
Hi, CEL maintainer here, if you're looking for a very limited DOS surface area, you can subset CEL to disable support for nearly every operator in the spec. I'd be happy to help explain how this can be accomplished if this is something you're interested in learning more about. Cheers! |
|
@sagikazarmark should I just abandon this PR? I've moved to keycloak for now. |
|
@chlunde do u think this is causing argoproj/argo-workflows#8580 ? |
When Azure Active Directory is synchronized with an on-premises directory, the
boolean configuration parameter
useOnPremSamAccountNamecan be set to get theon-premises samAccountName as the
preferred_usernameclaim.Fixes #1618