Obtaining Azure Groups when there are too many to put in JWT #1195
Description
Azure can only return a certain amount of groups in the JWT.
When there are too many groups to return, Azure returns the hasGroups=true attribute. I don't know what the exact threshold is, but this is by design to avoid going over the URL length limit in the browser. According to the comment I've linked, the group limit is 4, which seems awfully low. If that's true, this issue will occur is very many companies if they want to use Azure to manage security groups when interfacing with Tweek.
It would be nice if Tweek supported this in order to obtain group information to so that users can use Azure security groups to manage application level access.
Azure has a Graph API that you can use to inquire about full group membership, or about membership to a particular group.
I'm imagining something like the following would occur if hasGroups: true is returned from Azure instead of group information.
if (hasGroups)
Call the Graph to inquire:
else
Access groups directly from the token
The graph API has the following formats
Get all groups a user belongs to:
GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version
Inquire whether the user belongs to a specific group:
POST https://graph.windows.net/myorganization/users/{user_id}/isMemberOf?api-version
I imagine this behavior could be optional, to only occur if a value for the graph API is set in the gateway-configmap.yaml, and if hasGroups is true, and no groups array is returned.
Is this something Tweek can/should support? Or, is this something that should be done on the user's end in the OPA defined JWT extraction policy?