Synchronizing tuple data from ldap

[marlenekoh]

My ldap active directory contains a few types of groups

• organizational/hierarchical groups (e.g. HR, IT)
• permissions groups (e.g. VirtualTeam1, VirtualTeam2)

We have an oidc identity provider (Keycloak). We are using claims (e.g. groups, preferred_username) from the JWT token to issue the permission check requests to openfga.

Organizational/hierarchical groups will be synced into Keycloak, and can be referenced as contextual tuples.

However, permissions groups are not synced due to potential 413 Header Too Large errors from excessive memberships in the JWT token. As a result, we can't use contextual tuples for stores that need this membership information.

A solution to sync or reference these groups in openfga directly would address this gap.