OpenID: Integrate permissions (Fixes #2523) #2769
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Integrate full permission support.
The user can configure (all optional and independent):
If not configured, will like before simply assign "user"
If the whole claim (if configured) is missing, login will be denied. If a parameter like
canDownload
is missing, it will be treated asfalse
. If a unknown parameter is provided, login will be denied. If user is an admin, it will be ignored.Can be tested with Authentik like this:
Here is an example expression, which adds the "admin" group if the user is in the "Dev" authentik group:
For the advanced permissions, do the same and name the scope something like "abspermissions".
Note that here (in python?) the booleans must be upper case.
Also make sure that after saving you click on "Test" beside the mapping and select a test user. It should show for the first mapping the correct groups including for example user or admin. For the second the claim.
Then go to Providers -> Select your ABS provider -> Edit -> Advanced Protocol Settings. And select additionally your new mappings.
I tested it extensively but make sure to also do some tests.
Also whats a bit weird in code I noticed, we use:
around line 83. But at other places
Not sure if this has a specific purpose but we should probably make it consistent, esp. as the first S has different case but means the same variable.