On Mon, Oct 9, 2023 at 3:13 PM Najib . <[email protected]> wrote:
> Hey Nick, > > > > I definitely dont want to sound the alarm bells on this because as all > your points are indeed very valid, the trust starts at the Idp. But let me > perhaps mention a real world scenario and why this came up. > > > > Microsoft Entra is currently employed as the IdP. It has this concept > called B2B trust which essentially allows you to open your application to > external Microsoft Entra tenants which you trust. This is itself is very > useful as you don’t need to manage all these users yourself on your home > tenant as long as they meet some continuous approval process. But now you > must guarantee that that these claims remain static of these external IdPs > after validation and this is very hard to do as even the helpdesk > administrator role can change the display names or emails of regular users. > So after someone was granted access to the application their displayname or > email could be modified but their access remains valid as for the IdP its > still the same user with the same application assignment but now on the > guac side you might have a local db user that has admin privileges called > “admin” (I know bad name to use) which will map this new displayname to > this admin user that perhaps has high privileges. > > > > So prevent such scenario our only option was to use an immutable claim > such as the object id but the downside is that we had to sacrifice human > readability in guac. > > > > > Great point - thank you for clarifying the exact scenario. -Nick >
