Attribute-based access control for OIDC

macmiranda · March 27, 2023, 10:54am

Any plans to implement ABAC with OIDC?

As far as I can tell, Boundary would need to:

allow mapping custom OIDC claims to internal user account attributes
allow roles to filter based on those attributes and not only principal IDs

P.S.: Couldn’t find anything related to it on the Github project’s Issues page.

jimlambrt · March 27, 2023, 1:11pm

Hum… it would seem that you can basically achieve the same result by defining a OIDC managed group using the claims for an OIDC account and then defining a Role that includes that OIDC managed group. Am I missing something?

macmiranda · March 27, 2023, 2:09pm

Exactly. Two problems with that approach:

you would need several managed groups to cover all the different combinations of actual external groups (e.g. teams) with other possible attributes (e.g. user role, user title, application-specific user access level).
the relationship between group and role would almost always be 1:1 which renders one of them sorta redundant.

jimlambrt · March 27, 2023, 5:14pm

perhaps adding multiple “or” filters for OIDC managed groups would be a good thing anywho, which would make things better for quite a few use-cases.

I agree that 1:1 between groups and roles isn’t efficient, but I’m not sure it’s a huge deal.

In any event, I’m happy this doesn’t appear to be a blocker. With that said, I’ve added an issue: support multiple filters for OIDC managed groups #3118

macmiranda · March 27, 2023, 6:47pm

Hi @jimlambrt,

Thanks for creating the issue. I do think specifically what you’re asking for is provided by https://developer.hashicorp.com/boundary/docs/concepts/filtering#connecting-expressions. Wouldn’t you agree?