lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

Auth: Remove OIDC identities

Open edlerd opened this issue 1 year ago • 2 comments

Required information

  • Distribution: snap
  • Distribution version: 5.21.0-0cbd19b

Issue description

On log-in of OIDC users, an entry in the identities table gets created. Currently, there is no way to remove those entries. This might be problematic if the user in the external identity provider was removed and an administrator wants to clean up the entries in LXD.

Suggestion is to add an endpoint that allows to remove OIDC identities.

Steps to reproduce

  1. Configure LXD with OIDC
  2. Login to the UI with an OIDC user [email protected]
  3. Remove [email protected] from LXDs identities

edlerd avatar Mar 14 '24 15:03 edlerd

We can consider the SCIM protocol (https://scim.cloud/) to align identities with the IdP

mseralessandri avatar Apr 11 '24 14:04 mseralessandri

There are number of options for removing OIDC identities:

  1. Add a task to clean up OIDC identities that have not been seen for a configurable period and are not members of a LXD group.
  2. Add an endpoint so that an administrator can remove them manually. If they are still present at the IdP level this will have the effect of revoking all LXD group membership, but it will not have any effect if permissions are configured using IdP group mappings.
  3. Use SCIM as suggested by @mseralessandri. We should be careful to add a backup for this as it may not be supported by all IdPs.

markylaing avatar Apr 11 '24 14:04 markylaing