New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for scopes based on AD group IDs + reject user if required scopes aren't added #145
Conversation
4507dbd
to
5aff5b2
Compare
idTokenPayload.groups ?? [] | ||
) | ||
|
||
credentials.scope = assignedScopes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm getting an error that credentials.scope
isn't typed
Should we be using the scope(request)
handler instead?
In the deleted code there seemed to be some nice auth.access.scope
examples, should we not try to keep them maintained?
options: {
auth: {
access: {
scope: ['+mockScope']
},
mode: 'required'
}
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. That function is per request, rather than when the token is received. We only need to grab their groups when the user is signing in or is refreshed. My understanding of the scope handler is where you want to elevate the user's access based on a specific request, which wouldn't be the case here.
credentials.scope
is something I'm still trying to work out. It's definitely the right way to do it, I'm a bit puzzled though at the type errors. The docs indicate it's a property of credentials, as does a few guides I found online.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably Bell using its own bespoke request
types?
You'll see in #145 (comment) that credentials.scope
is typed correctly there?
Be good to move the code into createUserSession()
so the compiler can check our homework
// Create user session
const credentials = await createUserSession(request)
if (!credentials?.user) {
return Boom.unauthorized()
}
+ if (!credentials?.scope) {
+ // Do the flashy auth failed thing
+ }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the deleted code there seemed to be some nice auth.access.scope examples, should we not try to keep them maintained?
Looking at this now. It's a CDP thing but we can use it, might be a good way to keep the route permissions centralised somewhere.
fe0804d
to
5d4f3c2
Compare
761d01e
to
614720b
Compare
41041c2
to
521cac3
Compare
0d62471
to
dcc3091
Compare
52ee05d
to
56e4c43
Compare
56e4c43
to
46779ee
Compare
Scope support
./designer/server/src/common/helpers/auth/azure-oidc.js
. This is then propogated to the cookie-based session and validated on/auth/callback
.UI changes