Skip to content

feat(oidc): Add flag to forward all logs, even if allowedGroups is set #4668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
peschmae wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(oidc): Add flag to forward all logs, even if allowedGroups is set #4668

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions connector/oidc/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,11 @@ type Config struct {
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`

// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`
AllowedGroups []string `json:"allowedGroups"`
InsecureEnableGroups bool `json:"insecureEnableGroups"`
// Restricts login to users that are members of at least one of the specified groups. This is only effective if groups claims are enabled.
AllowedGroups []string `json:"allowedGroups"`
// ForwardAllGroups, if true, will forward all groups from the IdP instead of only the allowed groups when AllowedGroups is set. This is only effective if groups claims are enabled.
ForwardAllGroups bool `json:"forwardAllGroups"`

// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
// within the Authentication Request that the Authorization Server is being requested to use for
Expand Down Expand Up @@ -361,6 +364,7 @@ func (c *Config) Open(id string, logger *slog.Logger) (conn connector.Connector,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
allowedGroups: c.AllowedGroups,
forwardAllGroups: c.ForwardAllGroups,
acrValues: c.AcrValues,
getUserInfo: c.GetUserInfo,
promptType: promptType,
Expand Down Expand Up @@ -395,6 +399,7 @@ type oidcConnector struct {
insecureSkipEmailVerified bool
insecureEnableGroups bool
allowedGroups []string
forwardAllGroups bool
acrValues []string
getUserInfo bool
promptType string
Expand Down Expand Up @@ -675,7 +680,10 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
return identity, fmt.Errorf("user not a member of allowed groups")
}

groups = groupMatches
// By default only the `allowedGroups` are sent in the token
if !c.forwardAllGroups {
groups = groupMatches
}
}
}

Expand Down
39 changes: 39 additions & 0 deletions connector/oidc/oidc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ func TestHandleCallback(t *testing.T) {
expectPreferredUsername string
expectedEmailField string
token map[string]interface{}
allowedGroups []string
forwardAllGroups bool
groupsRegex string
newGroupFromClaims []NewGroupFromClaims
groupsPrefix string
Expand Down Expand Up @@ -485,6 +487,41 @@ func TestHandleCallback(t *testing.T) {
"email_verified": true,
},
},
{
name: "allowedGroups",
userIDKey: "", // not configured
userNameKey: "", // not configured
expectUserID: "subvalue",
expectUserName: "namevalue",
allowedGroups: []string{"group1", "group2"},
expectGroups: []string{"group1", "group2"},
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"groups": []string{"group1", "group2", "groupA", "groupB"},
"email": "emailvalue",
"email_verified": true,
},
},
{
name: "allowedGroupsForwardAllGroups",
userIDKey: "", // not configured
userNameKey: "", // not configured
expectUserID: "subvalue",
expectUserName: "namevalue",
allowedGroups: []string{"group1", "group2"},
forwardAllGroups: true,
expectGroups: []string{"group1", "group2", "groupA", "groupB"},
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"groups": []string{"group1", "group2", "groupA", "groupB"},
"email": "emailvalue",
"email_verified": true,
},
},
{
name: "S256PKCEChallenge",
userIDKey: "", // not configured
Expand Down Expand Up @@ -548,6 +585,8 @@ func TestHandleCallback(t *testing.T) {
UserNameKey: tc.userNameKey,
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
InsecureEnableGroups: true,
AllowedGroups: tc.allowedGroups,
ForwardAllGroups: tc.forwardAllGroups,
BasicAuthUnsupported: &basicAuth,
OverrideClaimMapping: tc.overrideClaimMapping,
PKCEChallenge: tc.pkceChallenge,
Expand Down
Loading