Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend limitations on accessible user names in case of custom OpenID Connect provider #4893

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

extend limitations on accessible user names in case of custom OpenID Connect provider #4893

wants to merge 1 commit into from
+21 −21

Conversation

megglos
Copy link
Contributor

@megglos megglos commented Jan 23, 2025
edited
Loading

Description

See https://camunda.slack.com/archives/C55U06YRG/p1737640933298559?thread_ts=1737636040.852219&cid=C55U06YRG

Effectively Optimize can't display accessible user names in case of a non Keycloak OIDC setup.

I thus extended the existing docs on limitations of this setup. I think that these are generally not easy to find 😅, I don't have a good improvement suggestion on that yet though.

When should this change go live?

  • This is a bug fix, security concern, or something that needs urgent release support. (add bug or support label)
  • This is already available but undocumented and should be released within a week. (add available & undocumented label)
  • This is on a specific schedule and the assignee will coordinate a release with the DevEx team. (create draft PR and/or add hold label)
  • This is part of a scheduled alpha or minor. (add alpha or minor label)
  • There is no urgency with this change (add low prio label)

PR Checklist

  • My changes are for the next minor and are in /docs directory (aka /next/).
  • My changes are for an already released minor and are in /versioned_docs directory.

@megglos megglos requested review from Ben-Sheppard and a team January 23, 2025 15:46
@megglos megglos added the available & undocumented This is already available but undocumented and should be released within a week. label Jan 23, 2025
@akeller
Copy link
Member

akeller commented Jan 23, 2025

I thus extended the existing docs on limitations of this setup. I think that these are generally not easy to find 😅, I don't have a good improvement suggestion on that yet though.

@conceptualshark is this something already on your radar?

conceptualshark
conceptualshark reviewed Jan 23, 2025
View reviewed changes
Copy link
Contributor

@conceptualshark conceptualshark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a small comment for formatting, but agree that this might not be the ideal place for limitations, assuming that's what's meant by them not being easy to find. I think they can live here for now/to get this information out, and I can make a follow-up issue to make some additional adjustments to this page.

docs/self-managed/setup/guides/connect-to-an-oidc-provider.md
| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Identity | **Microsoft Entra ID:** <br/> `https://<IDENTITY_URL>/auth/login-callback` <br/><br/> **Helm:** <br/> `https://<IDENTITY_URL>` | |
| Operate | **Microsoft Entra ID:** <br/> `https://<OPERATE_URL>/identity-callback` <br/><br/> **Helm:** <br/> `https://<OPERATE_URL>` | |
| Optimize | **Microsoft Entra ID:** <br/> `https://<OPTIMIZE_URL>/api/authentication/callback` <br/><br/> **Helm:** <br/> `https://<OPTIMIZE_URL>` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections. |
| Optimize | **Microsoft Entra ID:** <br/> `https://<OPTIMIZE_URL>/api/authentication/callback` <br/><br/> **Helm:** <br/> `https://<OPTIMIZE_URL>` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| Optimize | **Microsoft Entra ID:** <br/> `https://<OPTIMIZE_URL>/api/authentication/callback` <br/><br/> **Helm:** <br/> `https://<OPTIMIZE_URL>` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following features are not currently available: User permissions tab in collections, digests, `Alerts` tab in collections, accessible user names for Owners of resources - instead the `sub` claim value is displayed . |
| Optimize | **Microsoft Entra ID:** <br/> `https://<OPTIMIZE_URL>/api/authentication/callback` <br/><br/> **Helm:** <br/> `https://<OPTIMIZE_URL>` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following Optimize features are not currently available: <br/>- The user permissions tab in collections<br/>- The `Alerts` tab in collections<br/>- Digests<br/>- Accessible user names for Owners of resources (the `sub` claim value is displayed instead). |

With the diff for tables being what it is, I apologize if the suggestion unclear - is it possible to format this in a list to make it easier to read?

Also just confirming Alerts should be in backticks.

@megglos megglos force-pushed the meg-oidc-connect-optimize-limitations branch from ad556d7 to 3981666 Compare January 25, 2025 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conceptualshark conceptualshark conceptualshark left review comments

@FarkasRabai FarkasRabai Awaiting requested review from FarkasRabai

@RomanJRW RomanJRW Awaiting requested review from RomanJRW

@Ben-Sheppard Ben-Sheppard Awaiting requested review from Ben-Sheppard

At least 1 approving review is required to merge this pull request.

Assignees

@megglos megglos

Labels
available & undocumented This is already available but undocumented and should be released within a week.
Projects
Developer Experience
Status: 👀 In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@megglos @akeller @conceptualshark