Roles for federated/ephemeral users only mapped during first login
Registered by
Juan Pedro Torres Muñoz
Currently, when a ephemeral user is created on Keystone during OIDC federation the roles are "tattooed" to them. This present a problem when you want to control those roles from the IdP side. Also, there is a problem that when you delete an user and recreate it later, it still has the roles from the first time.
This present a problem for controlling the users, and opens a possibility to new issues in the case that you try to map the user to another domain.
We also think that the admin role shouldn't be assigned through federation as it might cause security issues due to the volatility of the federated users.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Juan Pedro Torres Muñoz
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Drafting
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
(?)