Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Okta sync on team edit event not processed currently #138

Open
gmconklin opened this issue Jun 16, 2022 · 2 comments
Open

Okta sync on team edit event not processed currently #138

gmconklin opened this issue Jun 16, 2022 · 2 comments
Assignees
@primetheus
Labels
enhancement New feature or request

Comments

@gmconklin
Copy link

I would like to know if there is a roadmap for this feature as I do not understand the value of this integration without the sync being instigated when teams are changed from within Okta.
@Chocrates
Copy link
Contributor

There is no active roadmap, we absolutely would take pull requests if you want to contribute anything.

@primetheus
Copy link
Collaborator

@gmconklin it can be added... we're not currently listening for any events other than those triggered by GitHub. We would need to implement a webhook listener and have each IdP configured to send events to the app.

First sequence

In this sequence, we're reacting to a change in GitHub, ensuring that teams are not manually edited

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    GitHub->>team-sync: event (team created/edited)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members
Loading

Second sequence

In this sequence, we're running on a schedule

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    team-sync->>team-sync: scheduled sync (cron)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members
Loading

Third sequence (not currently supported)

In this sequence, we would need to respond to changes in the IdP (i.e. Okta) and make updates based on those changes.

sequenceDiagram
    autonumber
    participant GitHub
    participant team-sync
    participant IdP
    IdP->>team-sync: event (group created/edited)
    team-sync->>IdP: request group members
    IdP->>team-sync: return group members
    team-sync->>team-sync: compare members
    team-sync->>GitHub: update team members
Loading

In order for us to support this we will need to implement a few things (completely doable, but should be laid out):

  1. We need webhook verification implemented with a distinct endpoint. The current listener is validating GitHub payloads
  2. Will all groups in Okta be sent to the app? This is one area where we might see a lot of noise

We implemented cron as a way to maintain an "eventually consistent" approach so that you can have minimal delays in provisioning. Using a 1h schedule, for example, isn't a massive blocker to most organizations. Since the app responds to GitHub events, we'll still have the benefit of ensuring no unauthorized access, but might have to wait an hour to get new users added to groups.

With that context in mind, we can probably add this as a feature, but I'll need to do some testing to make sure we can support it adequately

@primetheus primetheus added the enhancement New feature or request label Aug 17, 2023
@primetheus primetheus self-assigned this Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@primetheus primetheus

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@primetheus @Chocrates @gmconklin