pac4j oidc limit valid domains for authentication #12890
Description
I have setup pac4j oidc authentication with google as provider. I am wondering how I can limit the users authenticating to a certain email domain.
Other software do it like following allowing to whitelist the email domains that you want to allow to authenticate (grafana example):
[...]
allowed_domains: domain1.com domain2.com sub.domain1.com
[...]
Current behavior: anyone can authenticate with a google account:
- johndoe@gmail.com
- johndoe@example.com (hosted on google)
# Druid basic security
druid.auth.authenticatorChain=["BasicMetadataAuthenticator", "pac4j"]
druid.auth.authenticator.BasicMetadataAuthenticator.type=basic
# Default password for 'admin' user
druid.auth.authenticator.BasicMetadataAuthenticator.initialAdminPassword=xxx
# Default password for internal 'druid_system' user
druid.auth.authenticator.BasicMetadataAuthenticator.initialInternalClientPassword=xxx
# Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions
druid.auth.authenticator.BasicMetadataAuthenticator.credentialsValidator.type=metadata
# If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain.
druid.auth.authenticator.BasicMetadataAuthenticator.skipOnFailure=true
druid.auth.authenticator.BasicMetadataAuthenticator.authorizerName=BasicMetadataAuthorizer
# Escalator
druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=xxx
druid.escalator.authorizerName=BasicMetadataAuthorizer
# pac4j
druid.auth.authenticator.pac4j.type=pac4j
druid.auth.pac4j.oidc.clientID=xxx
druid.auth.pac4j.oidc.clientSecret=xxx
druid.auth.pac4j.oidc.discoveryURI=xxx
druid.auth.pac4j.cookiePassphrase=xxx
Expected behavior: setup example.com in the settings so only users with example.com domain can authenticate
- johndoe@example.com (hosted on google)