[DRAFT] Add descriptions and some formats to the Profile schema#72
[DRAFT] Add descriptions and some formats to the Profile schema#72gdestuynder merged 2 commits intomozilla-iam:masterfrom
Conversation
|
It looks like this has been moved to |
|
damn 🐱 |
|
Thanks for this PR, this is quite useful I've edited it to reflect how fields are used in some cases (or fixed the Finally, the file has moved to |
|
manually merging with conflict resolution |
djmitche
left a comment
djmitche
left a comment
There was a problem hiding this comment.
Thanks for landing this -- it's a great update. I've made some more comments here, and I will make another PR based on the answers.
| "user_id": { | ||
| "type": "string", | ||
| "description": "(Authoritative) The user ID as defined by the underlying IdP. Profile consumers should not try to interpret this value in any way, but may use it as a stable identifier for this user as identified by this IDP." | ||
| "description": "The unique user identifier. Profile consumers should not try to interpret this value in any way." |
There was a problem hiding this comment.
Is it not allowed to use this as a stable identifier? What should a client use to identify "the same" user from session to session?
There was a problem hiding this comment.
i don't want readers to infer that this is to be used as the user identifier for users to login, i.e.
Login: blah|LDAP|xxx
Password: xxxx
Because the user_id is not very human friendly compared to emails. It's ok to use it internally where needed though.
| "active": { | ||
| "type": "boolean", | ||
| "description": "(Authoritative) If false, all access for this user should be denied. Profile consumers MUST check this value and disregard the remainder of the profile if false." | ||
| "description": "If false, all access for this user should be denied. Profile consumers MUST check this value and disregard the remainder of the profile if false." |
There was a problem hiding this comment.
Is there a circumstance where this would be false but the profile still returned?
There was a problem hiding this comment.
when querying the CIS API in the future - the point is that it is stored that way in the identity vault (ie the database of user profiles) thus anything that may read the profile would get "false" returned. Right now, this is only "internal" CIS code. Auth0 will return an HTTP error code.
| "userName": { | ||
| "type": "string", | ||
| "description": "UNKNOWN" | ||
| "description": "Human-readable login name or identifier for this user. For a unique identifier, use `user_id` instead." |
There was a problem hiding this comment.
Hm, but user_id doesn't say it's stable..
There was a problem hiding this comment.
See above comment about user_id
| }, | ||
| "PGPFingerprints": { | ||
| "type": "array", | ||
| "description": "All PGP fingerprints associated with this user's profile such as `bob` or `mary`. Order is undefined.", |
There was a problem hiding this comment.
Are bob and mary fingerprints?
There was a problem hiding this comment.
:) if you pr, please fix
| "groups": { | ||
| "type": "array", | ||
| "description": "(Informational) Deprecated. Use `authoritativeGroups` instead.", | ||
| "description": "Informational group membership for the user. Non-prefixed groups are what is known as Mozilla LDAP groups. Groups prefixed by a provider name and underscore are provided by a specific group engine.\nFor example `providername_groupone` is provided by `providername`.\nThese groups are provided `as-is` and you should ensure it contains the members you expect.", |
There was a problem hiding this comment.
Perhaps add a reference to authoritativeGroups here and say in as many words that groups is not suitable for access control?
There was a problem hiding this comment.
groups are used for access control. how much of a guarantee that groups are properly managed is up to you (it's managed by humans, which are generally also the owner of the service using these groups, but not necessarily), and authoritativeGroups have a better guarantee because they are either well defined with regular humans audits, either programatically defined. Both are needed in practice.
| "authoritativeGroups": { | ||
| "type": "array", | ||
| "description": "(Authoritative) A list of user-groups of which this user is a member. The group names are specific to the IdP, so profile consumers should take the IdP into account when interpreting this information. Note that the identity of the IdP is not available in the profile.", | ||
| "description": "A highy reliable list of groups for which this user is a member. These groups are either machine generated and strongly verified to be correct through software, or follow a well-defined human process in order to be verified to be correct.\nThese groups may optionally be used by the access providers themselves to assert access and may take precedence over the RP's own group checks.", |
| "type": "string", | ||
| "format": "date-time", | ||
| "description": "UNKNOWN" | ||
| "description": "Date at which this group membership last granted access to a resource (generally, an RP) for the user. This may be used to automatically expire and deny access when the lastUsed attribute is older than 3 month, for example." |
There was a problem hiding this comment.
Is there a defined way to update this date? Or is that something that's only handled for very specific cases (I'm assuming VCS access..).
There was a problem hiding this comment.
So far we've only planned to update this date through CIS, by Auth0, on-access. VCS still uses an LDAP write to a specific LDAP attribute at this time. There could be other publishers such as a VCS in the future though, effectively replacing the LDAP attribute write.
| "name": { | ||
| "type": "string", | ||
| "description": "Name of the group, as given by the IdP." | ||
| "description": "Name of the group." |
There was a problem hiding this comment.
Does this follow the same format (provider_name)?
There was a problem hiding this comment.
No - while this structure (authoritativeGroups) is present it's not yet used - but we currently do not plan to namespace publishers within it. We had a previous iteration where all groups were namespaced (via a json structure, not a string 'hack'/underscore) but we realized it was currently too unrealistic. This is also why, at this time, only Auth0 is planned to write here.
There was a problem hiding this comment.
Interesting. If the set of authoritativeGroups is small enough, perhaps each known group could be enumerated in the schema, with suitable descriptions?
| "uuid": { | ||
| "type": "string", | ||
| "description": "Reserved; profile providers should not use this value." | ||
| "description": "Unique identifier for the authoritative group. Profile consumers should not try to interpret this value in any way." |
There was a problem hiding this comment.
If I were building a document editing tool and wanted to be able to associate groups with access to a document, would this be the right value to store in my access-control table, rather than name?
There was a problem hiding this comment.
if you wanted to use these groups, then yes. In most cases you'll want to use groups though.
There were many questions about groups vs authoritativeGroups and ideally I/we should make a little doc about it (descriptions are a little short to tell the whole story).
Another attempt through comments though:
-
Auth0 (the
access provider) is expected to maintain and enforceAuthoritativeGroups. This means it may prevent a user to login to an RP, regardless of the RP's opinion on this. While all RPs have an associatedAuthoritativeGroupsattribute, not all of the RPs access is prevented by Auth0 (basically for any RP set to "allow anyone in" Auth0 does not prevent access, it just updates attributes, otherwise, it does/will) -
RPs may use
AuthoritativeGroupsvalues if they wish, though Auth0 already did the access validation on their behalf -
RPs should use
groups(any, or combination of groups, as the RP sees fit) with full knowledge that the groups are only as reliable as the people managing them. eg:- if there is a group called "mozilliansorg_pplwholikechocolate" managed by a person in Japan that maintain a directory of friends who like chococolate and you decide to use it, it's only as reliable as what this person decides the members are.
- If you create your own "mozilliansorg_pplthatitrust" (mozillians.org) or "pplthatitrust" (LDAP manage) then it's up to you.
- If you use "workday_staff", these are managed by Mozilla HR, though they currently do not have the same guarantees as
AuthoritativeGroups, but they hopefully and eventually will. If we get there, there will most likely be a "publisher" attribute in theAuthoritaiveGroups(adding being much easier than removing/changing attributes)
| "description": "All email addresses associated with this user's profile. Order is undefined.", | ||
| "items": { | ||
| "type": "object", | ||
| "properties": { |
There was a problem hiding this comment.
It might be worth adding required and additionalProperties here (and for the other arrays of sub-objects), too.
2 participants
I've written up some descriptions for schema fields -- and added a few formats where they were clear.
This is all just guesswork -- and where I've written "UNKNOWN" I was unable to guess. Please comment to let me know where I've gotten it wrong, and I will update.