Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO: support non-toplevel attribute_requirements #14835

Open
matrixbot opened this issue Dec 20, 2023 · 0 comments
Open

SSO: support non-toplevel attribute_requirements #14835

matrixbot opened this issue Dec 20, 2023 · 0 comments
Labels
A-SSO O-Uncommon S-Minor T-Enhancement

Comments

@matrixbot
Copy link
Collaborator

matrixbot commented Dec 20, 2023
edited

This issue has been migrated from #14835.

Description:

To the best of my knowledge, it is only possible to configure and check attribute requirements if the attribute is in the toplevel of the claim/access token.

Example
We use keycloak as OIDC provider. The access token of keycloak contains:

  "resource_access": {
    "{client-id}": {
      "roles": [
        "{client-role-1}",
        "{client-role-2}",
      ]
    }
  },

I want to allow authentication based on a assigned client-role which is nested inside multiple objects.

Possible solution
A solution could be to allow dot-notation for the attribute requiremtes to access nested elements

# homeserver.yaml
    oidc_providers:
    - idp_id: keycloak
      {...}
      attribute_requirements:
        - attribute: resource_access.{client-id}.roles
          value: {client-role-1}
@matrixbot matrixbot changed the title Dummy issue SSO: support non-toplevel attribute_requirements Dec 21, 2023
@matrixbot matrixbot reopened this Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-SSO O-Uncommon S-Minor T-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrixbot