Role/group restrictions using OpenID

[rinshadka]

HI,

I have tried server CE and used the OpenID authentication setup using a Keycloak service and was successfully able to implement authentication for all the users in my keycloak Realm. Actually I wanted to allow login support for users having a particular role or users which comes under a particular group. I couldn't find a configuration for those extra filtering. Used below config options:-

  "auth": {
    "sessionSecret": "",
    "openId": {
      "realm": "https://my-keycloak-url.com/auth/realms/xxxxx",
      "clientId": "my id",
      "clientSecret": "my secret"
    }
  },

Thanks.

[eatonphil]

Good question! This does not exist yet but I'd be open to a pull request that changes server/auth.ts to do this.

I think what would need to happen is that both the groups you wish to restrict to would need to be a config option, and the scope name to request/key by would need to be configurable too since I don't think there's a standard name for a group scope.

So for example the new auth config might be:

 "auth": {
    "sessionSecret": "",
    "openId": {
      "realm": "https://my-keycloak-url.com/auth/realms/xxxxx",
      "clientId": "my id",
      "clientSecret": "my secret",
      "groups": {
        "scopeName": "roles",
        "names": ["group 1", "group 2"]
      },
    }
  },