Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

site_selector: Add redirect capabilites #3

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

site_selector: Add redirect capabilites #3

wants to merge 4 commits into from

Conversation

mickenordin
Copy link
Member

@mickenordin mickenordin commented Feb 28, 2024
edited
Loading

With this patch set we get the possibility to set a redirect_url in the config of the micro service. That will result in a redirect to this URL if the authentication is not successful.

The redirect looks like this:

https://portal.drive.test.sunet.se/?context=eyJ1c2VyX2lkIjogInRlbmUzMjUzQHN1LnNlIiwgImRpc3BsYXluYW1lIjogIlRlc3QgTmV4dGNsb3VkIiwgInRpbWVzdGFtcCI6ICIyMDI0LTAyLTI4VDEwOjE1OjQyLjI2M1oiLCAiaXNzdWVyIjogImh0dHBzOi8vaWRwLml0LnN1LnNlL2lkcC9zaGliYm9sZXRoIiwgInNlcnZpY2UiOiAiaHR0cHM6Ly9zdW5ldC5kcml2ZS50ZXN0LnN1bmV0LnNlL2luZGV4LnBocC9hcHBzL3VzZXJfc2FtbC9zYW1sL21ldGFkYXRhIiwgInNlc3Npb25faWQiOiAidXJuOnV1aWQ6MjA2YmE1Y2EtYzAxZC00MTBhLWE5ZGEtYmYyNGJiOWI4NTdhIn0%3D

The context-parameter in this url is a url- and base64-encoded json string that looks like this when decoded:

{"user_id": "[email protected]", "displayname": "Test Nextcloud", "timestamp": "2024-02-28T10:15:42.263Z", "issuer": "https://idp.it.su.se/idp/shibboleth", "service": "https://sunet.drive.test.sunet.se/index.php/apps/user_saml/saml/metadata", "session_id": "urn:uuid:206ba5ca-c01d-410a-a9da-bf24bb9b857a"}

This code has been successfully tested in Sunet Drive satosa running version 8.4.0.

@mickenordin
site_selector: Add redirect capabilities
43f6859 
This patch makes it possible to configure a redirect_url, that will be called if no access rule matches.
The redirect will also get a payload that looks like this:

{
    "user_id": internal_data.subject_id,
    "displayname": (internal_data.attribute.get("displayname") or ["Unknown"])[0],
    "timestamp": internal_data.auth_info.timestamp,
    "issuer": internal_data.auth_info.issuer,
    "service": service_id,
    "session_id": context.state.session_id
}

If the redirect_url is not configured, the old behaviour with an exception is kept.
@mickenordin
site_selector: Correct name is attributes
4861f48
@mickenordin
site_selector: base64 encode most of query string
267cc5e 
Instead of having everything in cleartext, we base64 encode a json object that we can unpack on the other side.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c00kiemon5ter c00kiemon5ter c00kiemon5ter left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mickenordin @c00kiemon5ter