github-team-sync icon indicating copy to clipboard operation
github-team-sync copied to clipboard

Published 20 hours ago verified publisher icon 3rd-party-integrations

Okta sync on team edit event not processed currently

Open gmconklin opened this issue 2 years ago • 2 comments

I would like to know if there is a roadmap for this feature as I do not understand the value of this integration without the sync being instigated when teams are changed from within Okta.

gmconklin avatar Jun 16 '22 20:06 gmconklin

There is no active roadmap, we absolutely would take pull requests if you want to contribute anything.

Chocrates avatar Oct 03 '22 15:10 Chocrates

@gmconklin it can be added... we're not currently listening for any events other than those triggered by GitHub. We would need to implement a webhook listener and have each IdP configured to send events to the app.

First sequence

In this sequence, we're reacting to a change in GitHub, ensuring that teams are not manually edited

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    GitHub->>team-sync: event (team created/edited)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members

Second sequence

In this sequence, we're running on a schedule

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    team-sync->>team-sync: scheduled sync (cron)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members

Third sequence (not currently supported)

In this sequence, we would need to respond to changes in the IdP (i.e. Okta) and make updates based on those changes.

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    IdP->>team-sync: event (group created/edited)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members

In order for us to support this we will need to implement a few things (completely doable, but should be laid out):

  1. We need webhook verification implemented with a distinct endpoint. The current listener is validating GitHub payloads
  2. Will all groups in Okta be sent to the app? This is one area where we might see a lot of noise

We implemented cron as a way to maintain an "eventually consistent" approach so that you can have minimal delays in provisioning. Using a 1h schedule, for example, isn't a massive blocker to most organizations. Since the app responds to GitHub events, we'll still have the benefit of ensuring no unauthorized access, but might have to wait an hour to get new users added to groups.

With that context in mind, we can probably add this as a feature, but I'll need to do some testing to make sure we can support it adequately

primetheus avatar Aug 17 '23 22:08 primetheus