Any plans to implement ABAC with OIDC?
As far as I can tell, Boundary would need to:
- allow mapping custom OIDC claims to internal user account attributes
- allow roles to filter based on those attributes and not only principal IDs
P.S.: Couldn’t find anything related to it on the Github project’s Issues page.
Hum… it would seem that you can basically achieve the same result by defining a OIDC managed group using the claims for an OIDC account and then defining a Role that includes that OIDC managed group. Am I missing something?
Exactly. Two problems with that approach:
- you would need several managed groups to cover all the different combinations of actual external groups (e.g. teams) with other possible attributes (e.g. user role, user title, application-specific user access level).
- the relationship between group and role would almost always be 1:1 which renders one of them sorta redundant.
perhaps adding multiple “or” filters for OIDC managed groups would be a good thing anywho, which would make things better for quite a few use-cases.
I agree that 1:1 between groups and roles isn’t efficient, but I’m not sure it’s a huge deal.
In any event, I’m happy this doesn’t appear to be a blocker. With that said, I’ve added an issue: support multiple filters for OIDC managed groups #3118
Thanks for creating the issue. I do think specifically what you’re asking for is provided by https://developer.hashicorp.com/boundary/docs/concepts/filtering#connecting-expressions. Wouldn’t you agree?