8000 Do not match on `email` for Google organization membership · Issue #802 · octo-sts/app · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Do not match on email for Google organization membership #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matthiasr opened this issue Mar 15, 2025 · 2 comments
Open

Do not match on email for Google organization membership #802

matthiasr opened this issue Mar 15, 2025 · 2 comments

Comments

@matthiasr
Copy link

In their Identity docs, Google loudly and repeatedly discourage using the email claim as identification, or as guarantee that someone is a member of the organization.

There may be cases when it's really what you want, but I find it a bit dangerous to have the first and only example of identifying someone by their Google identity use email. Could the example in the README use

claims:
  hd: chainguard.dev

instead?
@mattmoor
Copy link
Member

I'd probably rather use a stricter subject pattern, even if the gaia IDs are fictional:

issuer: https://accounts.google.com
subject_pattern: '(1234|5678)'
claim_pattern:
  foo: '.*bar.*' 

permissions:
  contents: read

@mattmoor
Copy link
Member

Want to send a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthiasr @mattmoor
0