Provide group membership level in OIDC claim
What does this MR do?
Add group membership levels to OpenID Connect user info.
Problem to solve
A user wants to use the groups
claim for authorization checks in an application.
This claim lists all groups with direct and indirect membership, regardless of permission level.
So the application can check that the user have some access to the listed groups,
but can't distinguish between a user with "Owner" or "Guest" access.
While an user can have a wide variety of different permissions and adding someone with "Guest" access is mostly no problem, this information is not provided downstream.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Closes #209975
Edited by Bastian Blank