Feature: Groups support for OIDC #4506
Conversation
|
I got user groups working with Authelia!
Now we need to figure out how to grab and feed groups from the other strategies. |
|
I've built a couple docker images for testing and they are now available, they include @mstrhakr/passport-openidconnect to get groups working. Available Images: |
|
This look good to me. Other authentication strategies like Google, Reddit, GitHub, etc do not have user groups that I know off or in any case, would likely not benefit from user groups sync. This is work in progress, but I am ok merging it if you like. I will review the code for security, but so far, this is really good. I like how you reused the LDAP groups sync for OpenID. |
|
This pull request introduces 2 alerts when merging 556ca37 into b62e555 - view on LGTM.com new alerts:
|
mstrhakr
force-pushed
the
oidc-groups
branch
2 times, most recently
from
8f4e9c9 to
ea9a5b6
Compare
mstrhakr
force-pushed
the
oidc-groups
branch
from
ea9a5b6 to
b62e555
Compare
Supports choosing groups to.. -Allow or restrict login to server -Sync with user groups (with / without filter) -Grant or revoke site admin privileges
|
Please ignore all the crazy git nonsense I caused. I'm clearly an idiot because I decided to mess with the commits to make it look nicer. HA. Anyway, This is working great at the moment. It still require that custom module but it's a brand new fork of what we were already using with only the groups modification and the scope fix added. Dockers are building if anyone want's to test with that. Really, the only thing I would say definitely needs testing is that the LDAP groups all still sync like you expect them to. I don't have that setup in Meshcentral at the moment but I can test it eventually. Well that and I wanted to ask if the way I'm doing the siteadmin stuff is okay or not. I think its okay, as it does work, it just was a little weird from my perspective. |
mstrhakr
changed the title
|
Ok, working on testing it now. |
|
I just checked in a bunch of changes. I added the "SiteAdmin" feature to LDAP, I think that is a great idea. I also changed the debugging to debug to 'authlog`, this way you can see it on the web site in the "My Server / Trace" tab.
Once I release this with 1.0.83, can you test this again and make sure everything still works for you? - Thanks. |
|
This looks great, I like that authlog bit, obviously I didn't know about that. I'll build myself a docker once it's live unless you want me to test now, it all looks amazing though. |
|
I just published v1.0.83, do let me know if it works for you. Tomorrow is my last day before 6 weeks vacation, but will be around a bit. |
|
Just noticed that OpenID-Client does not support older NodeJS versions, so added a warning on this:
|
So far I'm only able to test OIDC, but even that doesn't work at the moment.
There are some partially working bits, like checking requiredgroups and denying login.
This requires (for OIDC) a custom passport-openidconnect module until the pull to add group support goes through.
I would need help setting up the other auth strategies as I don't use any of the others.