From f3e86c0de8427f0e96cb59f0c3a49ec008f4e028 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Mon, 11 Nov 2024 12:28:20 +0100 Subject: [PATCH 1/4] [docs-only] Claim update process (proxy service readme) --- services/proxy/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/services/proxy/README.md b/services/proxy/README.md index 404e5113db..b7ccf297bb 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -128,6 +128,14 @@ somewhat costly operation, especially if the user is a member of a large number groups. If the group memberships of a user are changed in the IDP after the first login, it can take up to 5 minutes until the changes are reflected in Infinite Scale. +### Claim Updates + +OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name or picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request, depends on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token. + +Claims cant get updated automatically in Infinite Scale when there is a change in the IDM (identity management). JWT tokens generated by the IDP (OpenID Connect provider) requested by Infinite Scale, are immutable, means they reflect the IDM claim state when issued. Therefore you can't change or update claims on existing tokens. To provide updated claim information for users in Infinite Scale, a new immutable token must be requested. This especially affects claim changes like changed user details or group names and applies for users individually. + +Because there are many ways to implement expiry and handling of access and refrash tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app! + ## Automatic Quota Assignments It is possible to automatically assign a specific quota to new users depending on their role. From 379feec22ee71605d6c44fc388fb1e8c5f622ed6 Mon Sep 17 00:00:00 2001 From: Martin Date: Mon, 11 Nov 2024 12:46:03 +0100 Subject: [PATCH 2/4] Update services/proxy/README.md Co-authored-by: Phil Davis --- services/proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/proxy/README.md b/services/proxy/README.md index b7ccf297bb..04bf505439 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -134,7 +134,7 @@ OpenID Connect (OIDC) scopes are used by an application during authentication to Claims cant get updated automatically in Infinite Scale when there is a change in the IDM (identity management). JWT tokens generated by the IDP (OpenID Connect provider) requested by Infinite Scale, are immutable, means they reflect the IDM claim state when issued. Therefore you can't change or update claims on existing tokens. To provide updated claim information for users in Infinite Scale, a new immutable token must be requested. This especially affects claim changes like changed user details or group names and applies for users individually. -Because there are many ways to implement expiry and handling of access and refrash tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app! +Because there are many ways to implement expiry and handling of access and refresh tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app! ## Automatic Quota Assignments From 9491abd1b96b76e6bf8e727a0735a0d496579da4 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Tue, 12 Nov 2024 12:39:42 +0100 Subject: [PATCH 3/4] rewrite and impacts --- services/proxy/README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/services/proxy/README.md b/services/proxy/README.md index 04bf505439..144a38acd2 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -130,11 +130,27 @@ first login, it can take up to 5 minutes until the changes are reflected in Infi ### Claim Updates -OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name or picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request, depends on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token. +OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name, email or picture information. A scope can also contain among other things groups, roles, and permissions data. Each scope returns a set of attributes, which are called claims. The scopes an application requests, depends on which attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in a token. -Claims cant get updated automatically in Infinite Scale when there is a change in the IDM (identity management). JWT tokens generated by the IDP (OpenID Connect provider) requested by Infinite Scale, are immutable, means they reflect the IDM claim state when issued. Therefore you can't change or update claims on existing tokens. To provide updated claim information for users in Infinite Scale, a new immutable token must be requested. This especially affects claim changes like changed user details or group names and applies for users individually. +These issued JWT tokens are immutable and integrity-protected. Which means, any change in the source requires issuing a new token containing updated claims. On the other hand side, there is no active synchronisation process between the identity provider (IDP) who issues the token and Infinite Scale. The earliest possible time that Infinite Scale will notice changes is, when the current access token has expired and a new access token is issued by the IDP, or the user logs out and relogs in. -Because there are many ways to implement expiry and handling of access and refresh tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app! +**NOTES** + +* When there is a changed group information for thousands of users, an additional delay may occur to get updated information based on optimizing computational resources needed for group handling. + +* Infinite Scale can't differentiate between a group being renamed in the IDP and users being reassigned to a different group. + +* Infinite Scale does not get aware when a group is being deleted in the IDP, an updated claim will not hold any information from the deleted group. Infinite Scale does not track a claim history to comapare. + +#### Impacts + +For shares or space memberships based on groups, a renamed or deleted group will impact accessing the resource: + +* There is no user notification about the inability accessing the resource. +* The user will only experience rejected access. +* This also applies for connected apps like the Desktop, iOS or Android app! + +To give access for rejected users on a resource, one with rights to share must update the group information. ## Automatic Quota Assignments From d6640435628b4585508eb78cd8c87f777c8579b3 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Tue, 12 Nov 2024 14:43:29 +0100 Subject: [PATCH 4/4] fixes --- services/proxy/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/proxy/README.md b/services/proxy/README.md index 144a38acd2..b808127c88 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -136,11 +136,11 @@ These issued JWT tokens are immutable and integrity-protected. Which means, any **NOTES** -* When there is a changed group information for thousands of users, an additional delay may occur to get updated information based on optimizing computational resources needed for group handling. +* For resource optimisation, Infinite Scale skips any checks and updates on groupmemberships, if the last update happened less than 5min ago. * Infinite Scale can't differentiate between a group being renamed in the IDP and users being reassigned to a different group. -* Infinite Scale does not get aware when a group is being deleted in the IDP, an updated claim will not hold any information from the deleted group. Infinite Scale does not track a claim history to comapare. +* Infinite Scale does not get aware when a group is being deleted in the IDP, an updated claim will not hold any information from the deleted group. Infinite Scale does not track a claim history to compare. #### Impacts