Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4118

Aggregated and Distributed Claims support in OpenShift Container Platform 4 for OpenID



    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%


      1. Proposed title of this feature request
      Aggregated and Distributed Claims support in OpenShift Container Platform 4 for OpenID

      2. What is the nature and description of the request?
      In OpenShift Container Platform 4.10, we did implement Syncing group membership from OpenID Connect identity providers. This works great but for example in Azure AD is facing some limitation as Azure AD is limiting number of groups part of the token to 200 to keep the size of the token at a reasonable level.

      Instead, they are offering Aggregated and Distributed Claims to fetch the group members via a specific API from the authenticated user. That prevents large token being sent and still makes sure all required groups will be made available.

      3. Why does the customer need this? (List the business requirements here)
      Given that OpenShift Container Platform 4 is used in large enterprise environments, that are more and more adopting Azure AD, it's definitely expected that users with more than 200 group membership will eventually start using OpenShift Container Platform 4 but then face a problem because groups may be truncated from the token and thus not be available, limiting access and functionality in OpenShift Container Platform 4.

      To prevent this from happening, we should provide support for Aggregated and Distributed Claims in OpenShift Container Platform 4 and it's OpenID support to make sure all possible sizes and variations found at customers are going to work and won't limit users in functionality and access.

      4. List any affected packages or components.

      • oauth-server
      • oauth-apiserver


        Issue Links



              atelang@redhat.com Anjali Telang
              rhn-support-sreber Simon Reber
              0 Vote for this issue
              8 Start watching this issue