mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-05-18 21:46:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10537 from owncloud/update_claims

Browse Source 
[docs-only] Claim update process (proxy service readme)
This commit is contained in:
Martin
2024-11-12 15:46:20 +01:00
committed by GitHub
parent 80861d3a01 d664043562
commit 951de08343
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
services/proxy/README.md
View File

@@ -128,6 +128,30 @@ somewhat costly operation, especially if the user is a member of a large number
groups. If the group memberships of a user are changed in the IDP after the
first login, it can take up to 5 minutes until the changes are reflected in Infinite Scale.
### Claim Updates
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name, email or picture information. A scope can also contain among other things groups, roles, and permissions data. Each scope returns a set of attributes, which are called claims. The scopes an application requests, depends on which attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in a token.
These issued JWT tokens are immutable and integrity-protected. Which means, any change in the source requires issuing a new token containing updated claims. On the other hand side, there is no active synchronisation process between the identity provider (IDP) who issues the token and Infinite Scale. The earliest possible time that Infinite Scale will notice changes is, when the current access token has expired and a new access token is issued by the IDP, or the user logs out and relogs in.
**NOTES**
* For resource optimisation, Infinite Scale skips any checks and updates on groupmemberships, if the last update happened less than 5min ago.
* Infinite Scale can't differentiate between a group being renamed in the IDP and users being reassigned to a different group.
* Infinite Scale does not get aware when a group is being deleted in the IDP, an updated claim will not hold any information from the deleted group. Infinite Scale does not track a claim history to compare.
#### Impacts
For shares or space memberships based on groups, a renamed or deleted group will impact accessing the resource:
* There is no user notification about the inability accessing the resource.
* The user will only experience rejected access.
* This also applies for connected apps like the Desktop, iOS or Android app!
To give access for rejected users on a resource, one with rights to share must update the group information.
## Automatic Quota Assignments
It is possible to automatically assign a specific quota to new users depending on their role.