Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

please avoid the need of the permission "directory.read.all" in Azure AD #2752

Open
2 tasks done
ghost opened this issue Dec 7, 2022 · 3 comments
Open
2 tasks done

Comments

@ghost
Copy link

ghost commented Dec 7, 2022

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Within our company we run ArgoCD within a K8s cluster.
ArgoCD is configured to use DEX for authentication to MS Azure AD.
Currently MS Graph is used for Azure AD in ArgoCD.

For security reasons we'd like to limit the authentication requests to need &scope=user.read only instead both &scope=user.read+directory.read.all. By this only those few groups are returned which were explicitly assigned in Azure AD to the given application.

Background:
With respect to least privileges principle we do not want to have the possibility/admin rights to expose the whole enterprise AD structure.

Proposed Solution

allow to configure the scope at the application side -or- narrow down scope entirely.

Alternatives Considered

No response

Additional Information

No response

@ghost
Copy link
Author

ghost commented Dec 7, 2022

for the record; originally requested here: argoproj/argo-cd#11523

@marianobilli
Copy link

marianobilli commented Feb 8, 2023

I have a problem with this at my company they dont want to approve such a wide permission.

These two scopes should be enough:
Group.read.all
GroupMember.read.all

@Nothing4You
Copy link

this seems to be a duplicate of #2442

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants