Cadoles
/
hydra-werther
10
0
Fork 0
Code Issues Pull Requests Projects Releases 3 Wiki Activity

identp: fix retrieving the roles claim

This commit is contained in:
Nikolay Stupak 2019-08-06 14:19:02 +03:00 committed by Kostya Lepa
parent ee865701c8
commit b9a1c627a5
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
``` ```
To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`. To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
```bash
env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles \
WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
werther
```
For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims]. For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].
**NB** There are cases when we need to create several roles with the same name in LDAP. **NB** There are cases when we need to create several roles with the same name in LDAP.
@ -353,3 +362,5 @@ The code in this project is licensed under [MIT license][license].
[oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html [oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
[oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html [oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
[oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html [oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2

5
cmd/werther/main.go
View File

@ -11,6 +11,7 @@ import (
"flag" "flag"
"fmt" "fmt"
"net/http" "net/http"
"net/url"
"os" "os"
"github.com/i-core/rlog" "github.com/i-core/rlog"
@ -58,6 +59,10 @@ func main() {
fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err) fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
os.Exit(1) os.Exit(1)
} }
if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
os.Exit(1)
}
logFunc := zap.NewProduction logFunc := zap.NewProduction
if cnf.DevMode { if cnf.DevMode {

2
internal/identp/identp.go
View File

@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
type Config struct { type Config struct {
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"` HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"` SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"` ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
} }
// UserManager is an interface that is used for authentication and providing user's claims. // UserManager is an interface that is used for authentication and providing user's claims.