Add OIDC group and admin claim syncing#5
Open
Hudint wants to merge 1 commit into
Open
Conversation
Optionally mirror identity-provider state onto users on each OIDC login (new and existing). OidcConfig gains groups_claim, admin_claim, admin_group and additional_scopes, all defaulting to empty so nothing changes unless configured. Additional claims are captured via serde flatten; admin is granted when admin_claim is truthy or the user is in admin_group. Apps consume the result through the new AuthImpl::sync_oidc_user_claims hook, which defaults to a no-op.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds opt-in syncing of identity-provider state onto users on each OIDC login (both new registrations and existing users).
OidcConfiggains four optional fields, all defaulting to empty so behavior is unchanged unless configured:groups_claim— claim holding the user's groups (array or single string)admin_claim— claim signalling admin (bool, or truthy string / number)admin_group— group whose members are treated as admin (matched againstgroups_claim)additional_scopes— extra scopes to request, e.g.groupsHow
UsernameAdditionalClaimscaptures arbitrary extra claims via#[serde(flatten)].OidcProvider::get_groups_and_adminreads groups + admin from the id token, falling back to userinfo only for what is still missing.admin_claimis truthy OR the user is a member ofadmin_group(seeresolve_admin).AuthImpl::sync_oidc_user_claimshook, which defaults to a no-op, so existing implementations are unaffected.Includes unit tests for claim parsing, admin resolution and config backwards-compatibility.
Motivation
Lets downstream apps map identity-provider groups onto their own groups and grant admin straight from the IdP, instead of managing it manually after each login.