Disallow manual group edits if using OIDC group claims #6549
Comments
|
We could track the group additions with a field to indicate if it came manually or from OIDC. If we decide to support both OIDC group syncing and manual group editing. |
|
@sreya This might be a good one to plan |
|
Once you are using OIDC for groups, group creation, roles and user logins. All of these features should be read only.
|
|
I believe the roles are already read only. Agreed on the others |
|
Sorry, yes. I noticed that "roles" syncing does make it read only. "groups" syncing does have a challenge that the "groups" have to already exist (but no users can be added or removed). Or that groups get created dynamically (but in the case of entra id, group names will be "Object Id", which is not human friendly). For on the fly creating of "groups" a mapping should ideally exist for the "name", "display name", "description" and "icon". |
|
You can auto create missing groups: https://coder.com/docs/v2/latest/cli/server#--oidc-group-auto-create There is a static mapping: https://coder.com/docs/v2/latest/cli/server#--oidc-group-mapping But for dynamic groups, there is a display name already: https://coder.com/docs/v2/latest/api/schemas#codersdkgroup So the group name might be something strange from the OIDC, but you can give it a friendly name in coder. |
|
I will test that. For my testing the group names were the Object Id. But I will see if mapping them in coders environment configuration. |
|
@Emyrk are we doing this with our oidc+group sync work? |
|
@bpmct Yea, I will fix this as I redo grou sync 👍 |
If OIDC
groupsclaims is controlling user groups, admins should not be allowed to add/remove user's from groups manually. Any manual edits would be reverted each time the OIDC user logs in.The text was updated successfully, but these errors were encountered: