LDAP Groups Refreshed For Token?

[tjmoyes]

Hey all,

I apologize if this is a dumb question but it has just crossed my mind, and I apologize if this is the wrong place to ask.

So I've set up Dex/Gangway to authenticate into a Kube cluster with LDAP credentials. I've also set up a couple of Roles & RoleBindings based off groups in said LDAP.

My question revolves around the refresh process:

Let's say, when a user initially logs into Dex and gets the KubeConfig from Gangway, they are a part of Group A. At some point, they are removed from Group A and placed into Group B. Groups A and B have separate role bindings in the cluster. Does the refresh also refresh the groups that a user is a part of?

[nabokihms]

Hello, @tjmoyes.
Yes, it works as you described. If a connector implements the RefreshConnector interface, the Refresh method will be called on token refreshing.

The LDAP refresh method looks like this

dex/connector/ldap/ldap.go

Lines 529 to 568 in 83ad7bc

	func (c *ldapConnector) Refresh(ctx context.Context, s connector.Scopes, ident connector.Identity) (connector.Identity, error) {
	var data refreshData
	if err := json.Unmarshal(ident.ConnectorData, &data); err != nil {
	return ident, fmt.Errorf("ldap: failed to unmarshal internal data: %v", err)
	}
	var user ldap.Entry
	err := c.do(ctx, func(conn *ldap.Conn) error {
	entry, found, err := c.userEntry(conn, data.Username)
	if err != nil {
	return err
	}
	if !found {
	return fmt.Errorf("ldap: user not found %q", data.Username)
	}
	user = entry
	return nil
	})
	if err != nil {
	return ident, err
	}
	if user.DN != data.Entry.DN {
	return ident, fmt.Errorf("ldap: refresh for username %q expected DN %q got %q", data.Username, data.Entry.DN, user.DN)
	}
	newIdent, err := c.identityFromEntry(user)
	if err != nil {
	return ident, err
	}
	newIdent.ConnectorData = ident.ConnectorData
	if s.Groups {
	groups, err := c.groups(ctx, user)
	if err != nil {
	return connector.Identity{}, fmt.Errorf("ldap: failed to query groups: %v", err)
	}
	newIdent.Groups = groups
	}
	return newIdent, nil
	}

So it does update the groups on line 561.

This is technical stuff, but I think it may be useful to understand how dex interacts with other identity providers.

[tjmoyes]

This is phenomenal! I still have to learn how Go works but I can at least understand what the code here is doing.

Thank you so much!