Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Remove OIDC identities #13149

Open
edlerd opened this issue Mar 14, 2024 · 2 comments · May be fixed by #14191
Open

Auth: Remove OIDC identities #13149

edlerd opened this issue Mar 14, 2024 · 2 comments · May be fixed by #14191
Labels
Improvement Improve to current situation

Comments

@edlerd
Copy link
Contributor

edlerd commented Mar 14, 2024

Required information

  • Distribution: snap
  • Distribution version: 5.21.0-0cbd19b

Issue description

On log-in of OIDC users, an entry in the identities table gets created. Currently, there is no way to remove those entries. This might be problematic if the user in the external identity provider was removed and an administrator wants to clean up the entries in LXD.

Suggestion is to add an endpoint that allows to remove OIDC identities.

Steps to reproduce

  1. Configure LXD with OIDC
  2. Login to the UI with an OIDC user [email protected]
  3. Remove [email protected] from LXDs identities
@tomponline tomponline added the Improvement Improve to current situation label Mar 14, 2024
@markylaing markylaing changed the title Add endpoint to remove OIDC identities Auth: Remove OIDC identities. Apr 11, 2024
@mseralessandri
Copy link
Contributor

We can consider the SCIM protocol (https://scim.cloud/) to align identities with the IdP

@markylaing
Copy link
Contributor

There are number of options for removing OIDC identities:

  1. Add a task to clean up OIDC identities that have not been seen for a configurable period and are not members of a LXD group.
  2. Add an endpoint so that an administrator can remove them manually. If they are still present at the IdP level this will have the effect of revoking all LXD group membership, but it will not have any effect if permissions are configured using IdP group mappings.
  3. Use SCIM as suggested by @mseralessandri. We should be careful to add a backup for this as it may not be supported by all IdPs.

@tomponline tomponline changed the title Auth: Remove OIDC identities. Auth: Remove OIDC identities May 3, 2024
@markylaing markylaing mentioned this issue Sep 16, 2024
Closed
@markylaing markylaing linked a pull request Oct 2, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement Improve to current situation
Projects
None yet
Milestone
No milestone
4 participants
@tomponline @edlerd @mseralessandri @markylaing