Dex configuration improvements to suggest/implement

[marians]

There are a bunch of useful configuration settings which we are currently not using with all customers and which might make sense to suggest to them.

Some may have to be part of our initial setup. All may have to be added to internal docs. Some we might want to recommend to customers individually.

Different connectors offer different options, so this is structured by connector.

Microsoft / Azure AD

The microsoft connector is used for customers with Azure AD.

• onlySecurityGroups: Dex queries the Microsoft API to obtain a list of groups the user is a member of. onlySecurityGroups configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.

• useGroupsAsWhitelist together with a list of groups named explicitly in the groups key, the list of group membership gets limited to this specific set.

• emailToLowercase: You can use the emailToLowercase (boolean) configuration option to streamline UPNs (user email) from Active Directory before putting them into an ID token. Without this option, it can be tough to match the email claim because a client application doesn’t know whether an email address has been added with capital- or lowercase letters. As we use the email claim value as the username in Kubernetes RBAC, this can help simplify authorization.

• groupNameFormat: "id" can be used to specify that the groups claim will contain unique group IDs instead of group names. This is only recommended in environments where group names are expected to change, as group IDs are hard to communicate.

OIDC

• insecureEnableGroups: according to docs, prevents refreshing the group list. This would mean that a group membership cannot be revoked from a user. We should test and verify this.

TODO: look into other connectors used by customers