Implement domain allow-listing for OpenID Logins #2238
Labels
feature
use for describing a new feature to develop
needs triage
use to identify issue needing triage from Filigran Product team
Comments
initstring
added
feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
OpenBAS currently supports OpenID as a login. However, it will completely trust the OpenID provider and allow logins from any user.
For example, with Google login, anyone with a Google account and network access to the instance can log in.
OpenCTI supports adding specific domains to an allow list using the
PROVIDERS__GOOGLE__CONFIG__DOMAINenvironment variable. This restricts logins to only known domains. However, there doesn't appear to be an equivalent documented for OpenBAS.This issue proposes adding that functionality in - I'm not sure if it's already available in Spring but given the current implementation maybe it would be something like
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GOOGLE_DOMAIN.Thank you!
Use case
This would allow a layer of security for OpenID logins, to prevent unwanted access.
Current Workaround
Using external controls to prevent access to the login page, using SAML is also more robust but OpenID may be a quicker path forward for some.
Proposed Solution
Add a domain allow-list feature.
Additional Information
If the feature request is approved, would you be willing to submit a PR?
Yes / No (Help can be provided if you need assistance submitting a PR)
The text was updated successfully, but these errors were encountered: