mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-05-25 00:46:37 -04:00
Code Issues Packages Projects Releases Wiki Activity

rewrite and impacts

Browse Source
This commit is contained in:
Martin Mattel
2024-11-12 12:39:42 +01:00
parent 379feec22e
commit 9491abd1b9
1 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
services/proxy/README.md
View File

@@ -130,11 +130,27 @@ first login, it can take up to 5 minutes until the changes are reflected in Infi
### Claim Updates
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name or picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request, depends on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name, email or picture information. A scope can also contain among other things groups, roles, and permissions data. Each scope returns a set of attributes, which are called claims. The scopes an application requests, depends on which attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in a token.
Claims cant get updated automatically in Infinite Scale when there is a change in the IDM (identity management). JWT tokens generated by the IDP (OpenID Connect provider) requested by Infinite Scale, are immutable, means they reflect the IDM claim state when issued. Therefore you can't change or update claims on existing tokens. To provide updated claim information for users in Infinite Scale, a new immutable token must be requested. This especially affects claim changes like changed user details or group names and applies for users individually.
These issued JWT tokens are immutable and integrity-protected. Which means, any change in the source requires issuing a new token containing updated claims. On the other hand side, there is no active synchronisation process between the identity provider (IDP) who issues the token and Infinite Scale. The earliest possible time that Infinite Scale will notice changes is, when the current access token has expired and a new access token is issued by the IDP, or the user logs out and relogs in.
Because there are many ways to implement expiry and handling of access and refresh tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app!
**NOTES**
* When there is a changed group information for thousands of users, an additional delay may occur to get updated information based on optimizing computational resources needed for group handling.
* Infinite Scale can't differentiate between a group being renamed in the IDP and users being reassigned to a different group.
* Infinite Scale does not get aware when a group is being deleted in the IDP, an updated claim will not hold any information from the deleted group. Infinite Scale does not track a claim history to comapare.
#### Impacts
For shares or space memberships based on groups, a renamed or deleted group will impact accessing the resource:
* There is no user notification about the inability accessing the resource.
* The user will only experience rejected access.
* This also applies for connected apps like the Desktop, iOS or Android app!
To give access for rejected users on a resource, one with rights to share must update the group information.
## Automatic Quota Assignments