Alexander Scheel
Alexander Scheel
Thank you @voigt and @phyrog!
\o hey @genelet -- thanks for the thoughts :-) So far we don't have namespace support, but #569 talks about this a bit more as something we'd love to have....
@satoqz I think it is fine, the chances of a collision are astronomical outside of bad random.
> since we'd usually expect `sub` to match an entity_alias. @suprjinx This is true in some deployments, but I didn't think this was a universal assumption (that everyone would be...
@suprjinx Hmm, I think the k8s docs are a little better (which also uses CEL): https://kubernetes.io/docs/reference/using-api/cel/, https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/, and https://github.com/google/cel-spec are good pointers to start with. Essentially, it is a non-Turing-complete...
@suprjinx Right, we should have that as well (https://openbao.org/api-docs/auth/jwt/ -- search for `bound_claims_type` which supports a `"glob"` option). But globs aren't quite the right format for enforcing co-dependent values (in...
@suprjinx Hmmm, I think that would be fine for an incremental improvement, but I think adding CELs would be a good time to rethink the binding logic entirely. How about...
> But if we want to rethink the interface -- we could follow the Sentinel Policy idea and put the CEL logic into the policy itself. I don't think this...
@suprjinx Given we're introducing a whole new language as a dependency to this plugin, I'd say it's prudent. If you don't want to write it though, I'm happy to do...
@suprjinx ah one thing I hadn't considered is the `role_type={oidc,jwt}` parameter should probably be part of the path direct rather than inferred from the program. It determines how authentication goes...