I’m using Boundary v0.2.0 and would like to add OIDC authmethod and leave it as non-default, so users won’t be created automatically during the first ‘authenticate’. Instead of I’d like to control how I ‘import’ users, add to groups etc (using API)
I know I can add users/accounts and ‘link’ them together. I have a problem with the subject for the account.
If I use Auth0 - I can do it because sub in the token is set to userId from Auth0.
But for Azure AD (my preferred OIDC provider) it’s not possible to get sub for the user because it’s unique for each Azure AD Application (the same user will have a different sub for different Application), and not possible to get using MS Graph API.
Is there any ‘workaround’ now (or potentially in the future) to add users/accounts related to Azure AD by API without having the sub?
Or the only way to do it (today and in the future) is to set the Azure AD OIDC authmethod as the primary authmethod, wait until the user will ‘authenticate’ for the first time, and then properly ‘manipulate’ user/account/group (what won’t be the best UX)?
Good afternoon! Thank you for posting this question. You’re correct the current workflow is less than ideal and it’s something we want to address. For now, the only solution is the one you referenced: make the auth method the primary auth method.
That’s great it will be improved in the future.
Just curious, do you already know how it can be changed? I mean will the ‘subject’ be not required when creating an account (because as I wrote it’s not possible to get it from AAD)?
Also, is it worth creating an issue in the Boundary Github repo? To make it more visible to people looking for a solution there. Do you make any backlog prioritizing based on the issues created and ‘voted’ by people outside of boundary dev team?
There’s one more PR you may be interested in, which makes all OIDC Callback URLs deterministic. FYI, all of this will be included in the 0.2.1. release.
thank you!
I missed that because I was hacking the 0.2.0 version instead of the built one…
and yes, I’ve already seen change in callback URL pattern
All of that is making OIDC much simpler to set up.