identp: fix retrieving the roles claim

YAML needed additional indenting for it to work with docker compose, also the "-c" flag is required.

.travis.yml

@@ -17,7 +17,7 @@ cache:
     - "$GOPATH/pkg/mod"
     - "$GOPATH/bin"
 
-install: "(cd $HOME && go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.16.0)"
+install: curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.16.0
 
 script:
   - go test -v -coverprofile=coverage.txt ./...

README.md

@@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
 ```
 
 To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
+Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
+`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
+
+```bash
+env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles                                                                                     \
+    WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
+    werther
+```
+
 For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].
 
 **NB** There are cases when we need to create several roles with the same name in LDAP.
@@ -204,93 +213,98 @@ For a full example of a login page's template see [source code](internal/web/tem
     ```yaml
     version: "3"
     services:
-    hydra-client:
+        hydra-client:
-        image: oryd/hydra:v1.0.0-rc.12
+            image: oryd/hydra:v1.0.0-rc.12
-        environment:
+            environment:
-            HYDRA_ADMIN_URL: http://hydra:4445
+                HYDRA_ADMIN_URL: http://hydra:4445
-        command:
+            command:
-            - clients
+                - clients
-            - create
+                - create
-            - --skip-tls-verify
+                - --skip-tls-verify
-            - --id
+                - --id
-            - test-client
+                - test-client
-            - --secret
+                - --secret
-            - test-secret
+                - test-secret
-            - --response-types
+                - --response-types
-            - id_token,token,"id_token token"
+                - id_token,token,"id_token token"
-            - --grant-types
+                - --grant-types
-            - implicit
+                - implicit
-            - --scope
+                - --scope
-            - openid,profile,email
+                - openid,profile,email
-            - --callbacks
+                - --callbacks
-            - http://localhost:3000
+                - http://localhost:3000
-            - --post-logout-callbacks
+                - --post-logout-callbacks
-            - http://localhost:3000/post-logout-callback
+                - http://localhost:3000/post-logout-callback
-        networks:
+            networks:
-            - hydra-net
+                - hydra-net
-        deploy:
+            deploy:
-            restart_policy:
+                restart_policy:
-                condition: none
+                    condition: none
-        depends_on:
+            depends_on:
-            - hydra
+                - hydra
-    hydra:
+            healthcheck:
-        image: oryd/hydra:v1.0.0-rc.12
+                test: ["CMD", "curl", "-f", "http://hydra:4445"]
-        environment:
+                interval: 10s
-            URLS_SELF_ISSUER: http://localhost:4444
+                timeout: 10s
-            URLS_SELF_PUBLIC: http://localhost:4444
+                retries: 10
-            URLS_LOGIN: http://localhost:8080/auth/login
+        hydra:
-            URLS_CONSENT: http://localhost:8080/auth/consent
+            image: oryd/hydra:v1.0.0-rc.12
-            URLS_LOGOUT: http://localhost:8080/auth/logout
+            environment:
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
+                URLS_SELF_ISSUER: http://localhost:4444
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
+                URLS_SELF_PUBLIC: http://localhost:4444
-            DSN: memory
+                URLS_LOGIN: http://localhost:8080/auth/login
-        command: serve all --dangerous-force-http
+                URLS_CONSENT: http://localhost:8080/auth/consent
-        networks:
+                URLS_LOGOUT: http://localhost:8080/auth/logout
-            - hydra-net
+                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
-        ports:
+                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
-            - "4444:4444"
+                DSN: memory
-            - "4445:4445"
+            command: serve all --dangerous-force-http
-        deploy:
+            networks:
-            restart_policy:
+                - hydra-net
-                condition: on-failure
+            ports:
-        depends_on:
+                - "4444:4444"
-            - werther
+                - "4445:4445"
-    werther:
+            deploy:
-        image: icoreru/werther:v1.0.0
+                restart_policy:
-        environment:
+                    condition: on-failure
-            WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
+            depends_on:
-            WERTHER_LDAP_ENDPOINTS: ldap:389
+                - werther
-            WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
+        werther:
-            WERTHER_LDAP_BINDPW: password
+            image: icoreru/werther:v1.0.0
-            WERTHER_LDAP_BASEDN: "dc=example,dc=com"
+            environment:
-            WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
+                WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
-        networks:
+                WERTHER_LDAP_ENDPOINTS: ldap:389
-            - hydra-net
+                WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
-        ports:
+                WERTHER_LDAP_BINDPW: password
-            - "8080:8080"
+                WERTHER_LDAP_BASEDN: "dc=example,dc=com"
-        deploy:
+                WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
-            restart_policy:
+            networks:
-                condition: on-failure
+                - hydra-net
-        depends_on:
+            ports:
-            - ldap
+                - "8080:8080"
-    ldap:
+            deploy:
-        image: pgarrett/ldap-alpine
+                restart_policy:
-        volumes:
+                    condition: on-failure
-            - "./ldap.ldif:/ldif/ldap.ldif"
+            depends_on:
-        networks:
+                - ldap
-            - hydra-net
+        ldap:
-        ports:
+            image: pgarrett/ldap-alpine
-            - "389:389"
+            volumes:
-        deploy:
+                - "./ldap.ldif:/ldif/ldap.ldif"
-            restart_policy:
+            networks:
-                condition: on-failure
+                - hydra-net
+            ports:
+                - "389:389"
+            deploy:
+                restart_policy:
+                    condition: on-failure
     networks:
         hydra-net:
     ```
 
 3. Run the command:
     ```bash
-    docker stack deploy docker-compose.yml auth
+    docker stack deploy -c docker-compose.yml auth
     ```
 
 4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
@@ -348,3 +362,5 @@ The code in this project is licensed under [MIT license][license].
 [oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
 [oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
 [oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
+
+[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2

cmd/werther/main.go

@@ -11,6 +11,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 
 	"github.com/i-core/rlog"
@@ -58,6 +59,10 @@ func main() {
 		fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
 		os.Exit(1)
 	}
+	if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
+		fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
+		os.Exit(1)
+	}
 
 	logFunc := zap.NewProduction
 	if cnf.DevMode {

internal/identp/identp.go

@@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
 type Config struct {
 	HydraURL    string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
 	SessionTTL  time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
-	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
+	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.