Pretty sure this is a feature request as I’ve scoured the Access docs and the API docs and haven’t found anything.
On our Argo/Access secured services we want to know which group(s) a user belongs to. Currently the only information passed to our app from CF Access is the user’s email.
There is no API endpoint for determining which groups a user is a member of. One would have to parse all the Access groups rules and manually resolve the
require statements. This would be quite a hairy thing to implement ourselves.
Several ways I could see user groups being exposed is:
- An additional header listing the groups a user belongs to
- An API endpoint that returns the groups
- However to be able to actually deploy usage of that endpoint we would need a very fine-grained API Token Permission instead of the generic “Read everything related to Access”
- Adding the groups to the JWT
- The negative here of course is that the JWT would need to be re-issued every time group membership changed
We’re using Access to secure, erm, well, access, to a suite of inter-organizational apps. We can’t roll out a centralized SSO for all the users because if the inter-organizational nature of this deployment. Using Google as the IDP works great because all our users have Google Accounts. Using Access as the single-stop for determining user identity and group membership makes building role/perm authorization into our apps much simpler, but as it stands we need to duplicate group definitions between Access and a new purpose-built internal system… quite a waste.