github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/design/rejected/oidc-support.md (about) 1 _This design has moved out of scope of lakeFS, see our [security 2 update](https://docs.lakefs.io/posts/security_update.html)._ 3 4 # OIDC support in lakeFS 5 6 As suggested by @arielshaqed, we started researching the option to implement OIDC support as part of lakeFS. 7 8 In such a solution, the person who configures lakeFS will supply the parameters required for implementing OIDC, including the provider's domain, the client ID and secret, and a callback URL. API access will still use credentials managed internally like today. 9 10 As a first step, authorization will still be managed internally by lakeFS. 11 12 ## Requirements 13 14 15 ### lakeFS admin 16 17 - As part of the lakeFS configuration file, you can enable an integration with an OIDC provider 18 - Through the lakeFS configuration, the admin can set default lakeFS IAM groups. By default, externally managed users will be created with these groups. 19 - To create users with _other_ groups - an "initial_groups" claim can be added on the ID token through the external provider. When the user first logs in, lakeFS will read this claim and create the user with the given groups instead of the default ones. 20 - Authorization is still managed internally by lakeFS. Since we don't save any PII, the permission management for users will show only the unique ID provided by the OIDC provider. 21 - To show user emails / friendly names in permission management screens, we will integrate with specific OIDC providers according to demand by the community. 22 23 ### lakeFS user 24 - In the lakeFS login screen, the user can choose to login with OIDC. 25 - The user can create API credentials as before. 26