Closed Bug 1455666 Opened 7 years ago Closed 7 years ago

Need to replace the authorized_groups line with: authorized_groups: ['everyone'] - Airmozilla

Categories

(Infrastructure & Operations :: Infrastructure: LDAP, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: LDAP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: akochendorfer, Assigned: jabba)

Details

Jabba, Henrik asked that I file the following bug: Megan was testing New AirMo login flows and found out that login for non-NDA'd Mozillians is not working. This is correct behavior according to the current configuration - but I guess the configuration is wrong: https://github.com/mozilla-iam/sso-dashboard-configuration/blob/f49b7a7e2b5a408641fc48e47f0f1e47f58c7bef/apps.yml#L39 - application: name: "Air Mozilla" client_id: "7euXeq96glWUS85bwDRCCs10xKGY93t0" op: auth0 url: "https://onlinexperiences.com/scripts/Server.nxp?LASCmd=L:0&AI=1&InitialDisplay=1&ClientBrowser=0&ShowKey=44908" logo: "airmo.png" authorized_users: [] authorized_groups: ['mozilliansorg_nda', 'team_moco', 'team_mofo', 'team_mozillaonline'] display: true vanity_url: ['/airmo'] In order to be publicly accessible using passwordless email authentication, we need to replace the authorized_groups line with: authorized_groups: ['everyone'] New AirMo will then use OIDC claims to make sure to show Staff&NDA assets only to people coming in with the correct groups (e.g. mozilliansorg_nda, team_moco, team_mofo'). Thanks!
I've created https://github.com/mozilla-iam/sso-dashboard-configuration/pull/142 . Once reviewed and merged, this should work.
Assignee: infra → jdow
Hi, passwordless email authentication does not have any group assigned, and cannot have groups assigned except for 'everyone'. This means that there is no 'mozilliansorg_nda" members that have a passwordless account. This is also why, if the RP access is limited by authorized_groups, passwordless cannot work. Passwordless only works if authorized_groups includes the 'everyone' group. There is no correct way to check if a passwordless account is member of any group, are they cannot be part of any group except 'everyone' I'm acking https://github.com/mozilla-iam/sso-dashboard-configuration/pull/142 ; though wanted to make sure this part was clear, just in case
I merged the PR.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
kang, for the record: Yes, what you said in Comment 2 is clear to me. Thanks!
You need to log in before you can comment on or make changes to this bug.