Back to all posts

Allow adding space hierarchy in OIDC subject

Request: Have a option in Spacelift to enable full space hierarchy in the space claim in the OIDC subject.e.g.

Default. behavior: space:<space_id>:<rest of the claims>

Proposed feature enabled: space:root→space1_id→space1_child_id:<rest of the claims>

Workaround
The workaround to this is either using lots of OIDC conditions, one per existing space, or having some wildcard and a very tight control over space creation via policies and user access. All this has certain risks.
Problem
Currently the OIDC subject is in the format space<space_id>:<remaining claims>. This works very well to control one specify space, but not so well to control specific branch of spaces. Lets say you want all spaces in a certain branch to be able to assume a role, to achieve this you have to add wildcards in the space claim and/or have a very strict control over space creation and a naming convention that allows the wildcards to work. This is somehow risky, and would be solved by just adding information to the OIDC subject.

This post was merged into

Go to new post
Date

About 1 year ago