Fixing Token Bloat Issue

Problem: We are currently experiencing an issue with some environments where their decoded tokens become very large because we are including security groups as a claim in the token. There is a claim included in the tokens called "groups" that is an array of the IDs of AAD security groups that the user is a member of. When a user is a member of many groups, Istio has trouble processing the token and the users receive a "400 Bad Request" error.

Solution: We can set group_membership_claims to None for the AAD application in Terraform. This changes the application manifest so that the tokens generated for that application no longer include groups for which the user is a member.

Consequence on terraform plan in central resources:

  # module.ad_application.azuread_application.main will be updated in-place
  ~ resource "azuread_application" "main" {
      ~ group_membership_claims    = "SecurityGroup" -> "None"
        id                         = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        name                       = "osdu-mvp-crxxxx-xxxx-app"
        # (13 unchanged attributes hidden)

 

        # (1 unchanged block hidden)
    }

Testing: I generated a token for myself in my personal environment and saw it included a "groups" claim with two groups. I then applied this change to my environment and generated a new token. This new token had no "groups" claim. This same approach has also been used by customers by them manually changing the AAD application manifest and it has worked at eliminating the problem of token bloat.

References

• https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application#group_membership_claims
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-registration-for-group-attributes