feat: Microsoft connector; allow pagination when more than 1000 AD groups#4833
feat: Microsoft connector; allow pagination when more than 1000 AD groups#4833XDanny322 wants to merge 5 commits into
Conversation
Signed-off-by: Danny Lai <xdanny322@gmail.com>
|
Looks good, the only thing that looks odd is using 999 when the documented limit is 1000. Is this a "safety buffer" or something like that? If so, I'd write one or two lines about it in the comment |
|
This would fix the issue we're experiencing in our enterprise setup, nice MR. |
…cifications Signed-off-by: Danny Lai <xdanny322@gmail.com>
Ya, it was a safety buffer, but seems unnecessary. Likely causes more confusion then good. I've updated it back to 1000, code and the test , tested e2e, and all good. Thanks for taking a look - feel free to trigger actions / merge etc. |
|
I'm considering if we should make this behavior opt-in in the config of the connector...
Not sure how big this impact can be on the compute resources needed by Dex or if Microsoft can start rate-limiting... Would every user of the Microsoft connector be happy with this change? 🤔 |
|
Well, i guess i can see the concern. Today users with 1k+ group just doesn't work. Given the lack of other issues / users reporting this =), i am guessing its not a popular usecase (but in enterprise, its pretty common). Thats what makes me sayd, i think its safe to push this as is. But i do agree that having a feature flag to gate this would help / future prove this, especially re compute concern. Claude and i took a quick look, and it doesn't seem that bad. I install dex via helm, and quick looks shows in the - type: microsoft
id: microsoft
name: Microsoft
config:
clientID: $AZURE_AD_DEX_OAUTH_CLIENTID
clientSecret: $AZURE_AD_DEX_OAUTH_CLIENTSECRET
redirectURI: https://dex...../callback
tenant: foo.onmicrosoft.com
onlySecurityGroups: true
groupNameFormat: name
batchGroupLookups: true # new: opt in to fetch group names for >1000 group membersFinally, should i send a PR to website as well? Happy to, just checking |
|
Yeah config proposal looks good to me. Yes, website PR pls! |
Signed-off-by: Danny Lai <hlai@factset.com>
|
LGTM 👍 |
…and configuration details xref dexidp/dex#4833
…and configuration details xref dexidp/dex#4833 Signed-off-by: Danny Lai <hlai@factset.com>
…and configuration details xref dexidp/dex#4833 Signed-off-by: Danny Lai <xdanny322@gmail.com>
…and configuration details xref dexidp/dex#4833 Signed-off-by: Danny Lai <xdanny322@gmail.com>
…and configuration details xref dexidp/dex#4833 Signed-off-by: Danny Lai <xdanny322@gmail.com>
|
Hi @matheuscscp - all done. Updates code to add feature flag, default to false. If true, then the new paging logic kicks on. Updated tests to test both if Doc PR here: dexidp/website#216 Thanks for the review! |
Overview
Using the Microsoft connector (EntraID / Azure AD), if a user has more than 1000
transitive group memberships, Dex fails to authenticate them. The Microsoft Graph API
endpoint
POST /v1.0/directoryObjects/getByIdsrejects requests with more than 1000identifiers:
What this PR does / why we need it
getGroupNamesresolves Azure AD group UUIDs to display names by POSTing all IDs at onceto
/v1.0/directoryObjects/getByIds. When a user has more than 1000 transitive groupmemberships (common in large enterprises with nested security groups), Graph rejects the
request and authentication fails entirely.
This PR wraps the existing inner loop in an outer chunking loop that splits the input IDs
into batches of ≤999 before each
getByIdscall:A new unit test
TestGetGroupNamesBatchLimitis added inconnector/microsoft/microsoft_test.go:ceil(1500 / 999) = 2)This was also validated end-to-end against a real Azure AD tenant with a user in 1068
transitive group memberships. Before the fix: authentication fails with the
Request_BadRequesterror. After the fix: all 1068 groups are resolved andauthentication succeeds.
Special notes for your reviewer
Tested end-to-end: built a custom image, deployed it, and confirmed a user with 1068
transitive AD groups can authenticate successfully. All groups are returned.
Once this fix is applied and all group display names are resolved, a secondary issue
can surface for users with very large group counts: Dex embeds all group names in its
JWT access token (~61 KB for 1068 groups). If an nginx ingress sits in front of Dex,
the default
large_client_header_buffersof4 8kwill reject the oversizedAuthorization: Bearerheader when the token is used to call/userinfo. Theworkaround is to raise the buffer to
4 64k. This is a separate issue from the onefixed here — noting it so anyone hitting the same setup isn't surprised. See here