At login time, some identity providers (notably OIDC and RequestHeader) can provide group membership information for the authenticating user. That group membership should be able to be used within OpenShift.
--- new proposal
- should be made clear within an enhancement
--- old proposal
- Persist group data obtained at login in the API access token object
- allows admins to set a max lifetime on a token, after which the group membership must be revalidated by logging in and obtaining a new token
- the group membership doesn't apply to other API tokens
- allows identity providers to provide different group membership depending on login method
- avoids write contention on Group API objects
- allows admins to continue using Group API objects for "local" groups
- avoids the need to add source info for every member in a Group API object
- Make the identity-provider group name directly to an OpenShift group name
- a mapping can be added later if needed
- Enhance the following identity providers to consume group info:
- OIDC (via configurable claims(s), containing string or string array data)
- RequestHeader (via configurable and optionally repeated header(s) containing group names)
- Remote basic auth (via "groups" field containing string array data)
- https://docs.google.com/document/d/1C4HW4jR6C0rotyqtoT47nu1l5FRGZWsRMcx6Vnl-FKg/editRFE: https://bugzilla.redhat.com/show_bug.cgi?id=1469173
- What limitations should be placed on group names obtained from an identity provider?
- Should `system:...` groups be allowed?
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>