Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix authorization on SCIM me endpoint and improve SCIM user extension #764

Merged
merged 9 commits into from
Jun 6, 2024
Merged

Fix authorization on SCIM me endpoint and improve SCIM user extension #764

merged 9 commits into from
Jun 6, 2024

Conversation

enricovianello
Copy link
Member

@enricovianello enricovianello commented May 3, 2024
edited
Loading

Fixes #748 and #763.

SCIM me endpoint AuthZ was not working without scopes. Now authenticated users can retrieve again their info without problems. In addition, our SCIM user extension "IndigoUser" has been extended in order to add:

  • user's list of attributes (in read mode)
  • user's isAdmin T/F info (read mode)
  • user's list of managed groups (read mode)
  • user's AUP signature (in read mode)
  • user's end-time (in read mode)

In order to include managed groups into SCIM users details you need to enable them through the property:

scim:
  include_managed_groups: true

or through the environment variable:

IAM_SCIM_INCLUDE_MANAGED_GROUPS=true

Attributes can be included into SCIM user response in the same way the labels are:

scim.include_attributes[0].name=attribute-name
scim.include_attributes[1].name=another-attribute-name

SCIM me output example:

{
   "id":"80e5fb8d-b7c8-451a-89ba-346ae278a66f",
   "meta":{ ... },
   "schemas":[
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:indigo-dc:scim:schemas:IndigoUser"
   ],
   ...
   "urn":"indigo-dc:scim:schemas:IndigoUser":{
      "oidcIds":[ ... ]
      "samlIds":[ ... ],
      "isAdmin": "false",
      "attributes":[
         {
            "name":"nickname",
            "value":"tester"
         }
      ],
      "endTime": "2024-08-06T02:00:00.000+02:00",
      "managedGroups":[
         {
            "display":"Analysis",
            "value":"6a384bcd-d4b3-4b7f-a2fe-7d897ada0dd1",
            "$ref":"http://localhost:8080/scim/Groups/6a384bcd-d4b3-4b7f-a2fe-7d897ada0dd1"
         },
         {
            "display":"Production",
            "value":"c617d586-54e6-411d-8e38-64967798fa8a",
            "$ref":"http://localhost:8080/scim/Groups/c617d586-54e6-411d-8e38-64967798fa8a"
         }
      ]
   }
}

@enricovianello enricovianello mentioned this pull request May 22, 2024
Closed
@enricovianello enricovianello self-assigned this May 28, 2024
@enricovianello enricovianello linked an issue May 28, 2024 that may be closed by this pull request
Check authZ to scim/Me endpoint #748
Closed
@enricovianello enricovianello changed the title Fix authorization on SCIM me endpoint Fix authorization on SCIM me endpoint and improve SCIM user extension Jun 3, 2024
@enricovianello enricovianello linked an issue Jun 3, 2024 that may be closed by this pull request
Expose attributes via the SCIM endpoint #763
Closed
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 6, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
92.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@enricovianello enricovianello merged commit cc5f166 into develop Jun 6, 2024
4 checks passed
@enricovianello enricovianello deleted the fix/scim branch June 6, 2024 13:01
@federicaagostini federicaagostini mentioned this pull request Jun 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmiccoli rmiccoli rmiccoli approved these changes

@federicaagostini federicaagostini Awaiting requested review from federicaagostini

Assignees

@enricovianello enricovianello

Labels
kind/bug priority/high
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expose attributes via the SCIM endpoint Check authZ to scim/Me endpoint
2 participants
@enricovianello @rmiccoli