Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Allow specification of OIDC user role and permissions with attribute mappings #2523

Closed
DonQuinleone opened this issue Jan 18, 2024 · 4 comments
Closed

[Enhancement]: Allow specification of OIDC user role and permissions with attribute mappings #2523

DonQuinleone opened this issue Jan 18, 2024 · 4 comments
Assignees
@Sapd
Labels
enhancement New feature or request

Comments

@DonQuinleone
Copy link

Describe the feature/enhancement

I have managed to configure OIDC authentication for ABS, which is working brilliantly, but if I want to make someone an admin or give them additional permissions, this still has to be done via ABS' admin page.

It would be much better if we could manage roles and permissions via the OIDC provider, so can you add support for claims and attribute mappings to add this functionality please?
@DonQuinleone DonQuinleone added the enhancement New feature or request label Jan 18, 2024
@Sapd
Copy link
Contributor

Sapd commented Jan 25, 2024

I think I would implement it like this:

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "john.doe@example.com",
  "groups": ["user"], // Can include user, admin or guest, highest will be taken. Names configurable and scopename configurable
  "abspermissions": { // name of the scope configurable
    "canDownload": true,
    "canUpload": false,
    "canDelete": false,
    "canAccessExplicitContent": true,
    "canAccessAllLibraries": false,
    "allowedLibraries": ["Library1", "Library2"],
    "canAccessAllTags": false,
    "allowedTags": ["Tag1", "Tag2"]
  }
}

While making the name of the claim groups, abspermissions configurable.
Also name of the groups itself would be configurable, so name of user, admin, guest.
But I would however not make the name of the permissions inside abspermissions configurable given the complexity, one should be able to just add that json into the claims of the Idp.

So in the end basically we would have 5 new options in the Admin-Page to configure. All being optional.

What do you think?

@DonQuinleone
Copy link
Author

@Sapd This sounds like a great approach.

I don't think it's necessary to make the names of the "user", "admin" and "guest" groups customisable, since we can just map our own group names to these at the IdP. Simpler to keep these aligned with what are used at present.

I do like the suggestion of making the two scope names configurable, however.

Very happy to help with testing once a PR has been submitted.

Thanks!

@nichwall nichwall mentioned this issue Mar 17, 2024
Closed
@Sapd
Copy link
Contributor

Sapd commented Mar 19, 2024

Implemented in PR #2769

@advplyr
Copy link
Owner

advplyr commented Apr 22, 2024

Added in v2.9.0

@Sapd Sapd mentioned this issue Apr 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Sapd Sapd

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Sapd @DonQuinleone @advplyr