Skip to content

OIDC group claim optional #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 15, 2021
Merged

OIDC group claim optional #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/node/cli.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ export interface Args extends VsArgs {
"openid-client-id"?: string
"openid-base-url"?: string
"openid-secret"?: string
"openid-group-claim"?: string
"openid-group-claim"?: OptionalString
"openid-user-group"?: string
"hashed-password"?: string
cert?: OptionalString
Expand Down Expand Up @@ -129,7 +129,7 @@ const options: Options<Required<Args>> = {
description: "A long secret used to encrypt the session cookie",
},
"openid-group-claim": {
type: "string",
type: OptionalString,
description: "A claim that contains the authenticated users group assignments",
},
"openid-user-group": {
Expand Down
20 changes: 17 additions & 3 deletions src/node/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,22 +72,36 @@ export const authenticated = (req: express.Request): boolean => {
: req.args.password && safeCompare(req.cookies.key, hash(req.args.password)))
)
case AuthType.Openid:
console.debug("authenticated using OpenID Connect as", req.oidc.user)

if (req.oidc.isAuthenticated()) {
console.debug("User is authenticated using OpenID Connect\n", req.oidc.user)

// Check to see if a group claim was specified.
// If there was no group claim specified the user will be considered authorized.
if (!req.args["openid-group-claim"]) {
return true
}

// With the user authenticated we need to check the group claims to make sure they're authorized.
for (const key in req.oidc.idTokenClaims) {
const claims = <string[]>req.oidc.idTokenClaims[key]
if (key === req.args["openid-group-claim"]) {
if (key === req.args["openid-group-claim"] && req.args["openid-group-claim"].value) {
for (const value in claims) {
if (req.args["openid-user-group"] === claims[value]) {
console.debug("User is authorized!\n", req.oidc.user)
return true
}
}
}
}

// Throw an error informing the user that they're unauthorized.
console.debug("User is not authorized!\n", req.oidc.user)
throw new HttpError("Unauthorized", HttpCode.Unauthorized)
}

// Returning false means the user isn't authenticated.
// This should trigger a redirect so the user can get authenticated.
console.debug("User is not authenticated using OpenID Connect\n", req.oidc.user)
return false

default:
Expand Down