How to know which users are in which groups?

Pretty sure this is a feature request as I’ve scoured the Access docs and the API docs and haven’t found anything.

On our Argo/Access secured services we want to know which group(s) a user belongs to. Currently the only information passed to our app from CF Access is the user’s email.

There is no API endpoint for determining which groups a user is a member of. One would have to parse all the Access groups rules and manually resolve the include, exclude, and require statements. This would be quite a hairy thing to implement ourselves.

Several ways I could see user groups being exposed is:

  • An additional header listing the groups a user belongs to
  • An API endpoint that returns the groups
    • However to be able to actually deploy usage of that endpoint we would need a very fine-grained API Token Permission instead of the generic “Read everything related to Access”
  • Adding the groups to the JWT
    • The negative here of course is that the JWT would need to be re-issued every time group membership changed

We’re using Access to secure, erm, well, access, to a suite of inter-organizational apps. We can’t roll out a centralized SSO for all the users because if the inter-organizational nature of this deployment. Using Google as the IDP works great because all our users have Google Accounts. Using Access as the single-stop for determining user identity and group membership makes building role/perm authorization into our apps much simpler, but as it stands we need to duplicate group definitions between Access and a new purpose-built internal system… quite a waste.