Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Roles loading from LDAP for OAuth2 users #84

Merged
merged 3 commits into from
Dec 21, 2023
Merged

Roles loading from LDAP for OAuth2 users #84

merged 3 commits into from
Dec 21, 2023

Conversation

emmdurin
Copy link
Contributor

No description provided.

@emmdurin emmdurin marked this pull request as draft November 23, 2023 09:15
@pmauduit
Copy link
Member

pmauduit commented Dec 7, 2023

We actually have the same issue to fix with the PreAuthentication token (e.g. when user is logged in via http headers from another proxy in front of the gateway).

Maybe we could use both GeorchestraUser.getRoles() + authentication.getAuthorities() into the georchestra gateway filters instead (not really fan of doing reflection on the object, but the possibilities are limited here, given the fact that the authorities object is final, and no accessor allows to modify it once the token has been created.

@pmauduit
Copy link
Member

pmauduit commented Dec 8, 2023

Maybe we could use both GeorchestraUser.getRoles() + authentication.getAuthorities() into the georchestra gateway filters instead (not really fan of doing reflection on the object, but the possibilities are limited here, given the fact that the authorities object is final, and no accessor allows to modify it once the token has been created.

This is (merging getRoles + getAuthorities) what is currently done into the following branch:
https://github.com/georchestra/georchestra-gateway/tree/gitlab_merge (named this way because the work was already done into DT's version of the gateway)

emmdurin and others added 2 commits December 12, 2023 20:57
@emmdurin
Revert "ugly fix just to see if it works"
d07caea 
This reverts commit 972790c.
@groldan @emmdurin
Fix Gateway authorization does not work for derived roles
1ce9822 
Use a custom `ReactiveAuthorizationManager` to authorize
requests using both the `Authentication` object's granted
authorities and the `GeorchestraUser`'s (possibly) derived
role names.
@emmdurin
Copy link
Contributor Author

emmdurin commented Dec 12, 2023
edited
Loading

Thank you Pierre. I cherry-picked one commit from this branch, it is the minimum changes required to solve our problem, as we do not need here to get roles from OAuth2 provider, only roles coming from LDAP. However other changes in PR#89 are interesting, they are just out of scope here.

@emmdurin emmdurin marked this pull request as ready for review December 12, 2023 20:08
@emmdurin emmdurin mentioned this pull request Dec 12, 2023
Closed
@emmdurin emmdurin merged commit bce93a4 into main Dec 21, 2023
3 checks passed
@groldan groldan deleted the oauth2_roles_loading branch December 29, 2023 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marwanehcine marwanehcine marwanehcine approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@emmdurin @pmauduit @marwanehcine @groldan