Groups in groups membership for OIDC

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

OIDC API misses information on user group membership if this achieved through a Group in Group membership.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)

User experience goal

Make third-party tools aware of actual memberships to allow group based access management without the need to add every user to a given group.

Proposal

Make /oauth/userinfo aware of all groups the user is a member of (on his own and through the group membership). Through groups field or a new one.

A single endpoint without several roundtrips would be a more performant solution and a better representation of users actual memberships.

Further details

Dex allows to grant access to a Kubernetes cluster (namespace) through GitLab user membership in a group. It is already possible but only with user direct membership or inherited one. This is particular useful when you need to add a group of developers to a particular cluster/namespace.

Right now there is no API to figure out if a user is a member of a group shared with a group (even in regular REST one, /api/v4).

As far as I understand, the only way to get any information about such groups is shared_with_groups field of the api/v4/groups/:id request. Then it's possible to check if user is a member of provided groups using groups in /oauth/userinfo. It's gets tricky really fast when group memberships are nested.

Links / references

• Related Dex issue - GitLab Groups as Groups members