SSO: support non-toplevel attribute_requirements #14835

smoehrle · 2023-01-13T12:25:42Z

Description:

To the best of my knowledge, it is only possible to configure and check attribute requirements if the attribute is in the toplevel of the claim/access token.

Example
We use keycloak as OIDC provider. The access token of keycloak contains:

  "resource_access": {
    "{client-id}": {
      "roles": [
        "{client-role-1}",
        "{client-role-2}",
      ]
    }
  },

I want to allow authentication based on a assigned client-role which is nested inside multiple objects.

Possible solution
A solution could be to allow dot-notation for the attribute requiremtes to access nested elements

# homeserver.yaml
    oidc_providers:
    - idp_id: keycloak
      {...}
      attribute_requirements:
        - attribute: resource_access.{client-id}.roles
          value: {client-role-1}

Galbar · 2023-08-16T16:51:07Z

I have the same problem with nextcloud, where the groups are at ocs.data.groups. A possible solution would be to allow for a jinja template, like with other attributes.

Galbar · 2023-08-17T09:46:32Z

I managed by setting it like this:

enable_registration: false
localpart_template: "{% if '{client-role-1}' in user.ocs.data.groups %}{{ user.ocs.data.id }}{% endif %}"

It's not pretty but it does the job 🤷

matrixbot mentioned this issue Dec 21, 2023

SSO: support non-toplevel attribute_requirements element-hq/synapse#14835

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSO: support non-toplevel attribute_requirements #14835

SSO: support non-toplevel attribute_requirements #14835

smoehrle commented Jan 13, 2023

Galbar commented Aug 16, 2023

Galbar commented Aug 17, 2023

SSO: support non-toplevel attribute_requirements #14835

SSO: support non-toplevel attribute_requirements #14835

Comments

smoehrle commented Jan 13, 2023

Galbar commented Aug 16, 2023

Galbar commented Aug 17, 2023