Skip to content

groups: auto-create all groups sent from OIDC groups claim #8214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ericpaulsen opened this issue Jun 26, 2023 · 5 comments · Fixed by #8884
Closed

groups: auto-create all groups sent from OIDC groups claim #8214

ericpaulsen opened this issue Jun 26, 2023 · 5 comments · Fixed by #8884
Assignees
@Emyrk
Labels
enterprise Enterprise-license / premium functionality

Comments

@ericpaulsen
Copy link
Member

ericpaulsen commented Jun 26, 2023
edited
Loading

an enterprise customer recently configured group sync with AD. they have 1000s of groups. currently, to configure group sync for a group of users in Coder, they have to:

  1. manually create the group in Coder
  2. update the OIDC_GROUP_MAPPING env var & update Coder

this process is sufficient for a small POC, but they provided feedback that this will be cumbersome for tens to hundreds of groups expected to sync with Coder. they suggested the default group name be group ID passed in from the IdP (they'd update the name as a later step). this would also allow a one-time setting of the OIDC_GROUP_MAPPING var to the pre-defined IDs > group names.
@ericpaulsen ericpaulsen added feature enterprise Enterprise-license / premium functionality labels Jun 26, 2023
@Emyrk
Copy link
Member

Emyrk commented Jun 26, 2023

One thing that might be helpful here is to add Display Name and/or Description to groups in Coder. The automatic group sync might want some sort of Coder specific annotations to help the admins in Coder know what the group is.

The group naming scheme from this particular customer is sometimes a bit cryptic as they are auto generated.

@Emyrk Emyrk self-assigned this Jul 10, 2023
@Emyrk
Copy link
Member

Emyrk commented Jul 10, 2023

I would like to have a discussion on how to achieve this.

My concerns:

  • Should we delete groups that are no longer in the IDP? How would we know that?
  • A customer has 200 groups, and accidentally syncs them all to coder. We do not have a quick way to batch delete, so this could be frustrating.
  • Should this be in the product, or some kind of external script to sync this information? We do have an api and cli that can achieve this.

@Emyrk
Copy link
Member

Emyrk commented Jul 14, 2023

One thing we should do is a "Identifier Name" vs "Display/Friendly Name".

The ID name must accept more characters and probably needs to be url escaped.

@bpmct bpmct changed the title groups: Coder groups must be created in advance of group sync groups: auto-create all groups sent from OIDC groups claim Jul 14, 2023
@bpmct
Copy link
Member

bpmct commented Jul 14, 2023

Should we delete groups that are no longer in the IDP? How would we know that?

No, I don't think this is necessary.

A customer has 200 groups, and accidentally syncs them all to coder. We do not have a quick way to batch delete, so this could be frustrating.

We could provide a basic bash script in the docs to do this with curl + jq. Query all group IDs that were created after a certain time and a second script to delete.

Should this be in the product, or some kind of external script to sync this information? We do have an api and cli that can achieve this.

On our call, we discussed doing it in the product. Since some customers may have less control over their OIDC claims. What are your thoughts on making this opt-in via a flag @Emyrk? It would suck if a bunch of groups to appear in a Coder deployment as a breaking change.

Deleting groups

One thing we discussed was that once imported, a group cannot be deleted from Coder. I think we should actually support this. When a user logs in again, the group can be re-created if the claim sent it. However, editing assignments should be disabled #6549

@Emyrk
Copy link
Member

Emyrk commented Jul 14, 2023

@bpmct Opt in flag to turn on auto-group creation from group sync seems like the way to go.

@coadler mentioned doing this would not prevent a SCIM solution later, and both could operate in parallel since their source of truth would be shared.

@Emyrk Emyrk mentioned this issue Jul 19, 2023
Merged
@Emyrk Emyrk mentioned this issue Jul 26, 2023
Merged
@Emyrk Emyrk mentioned this issue Aug 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
enterprise Enterprise-license / premium functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add auto group create from OIDC coder/coder
3 participants
@Emyrk @ericpaulsen @bpmct