mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Minimalistic support for group filtering in oidc connector (#3074) 

Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
pull/1730/head^2
Pradeep Mudlapur 2 years ago committed by GitHub
parent
3b78752ab1
commit
415ddaa3da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      connector/oidc/oidc.go

18
connector/oidc/oidc.go
Unescape View File

@ -15,6 +15,7 @@ import (
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
groups_pkg "github.com/dexidp/dex/pkg/groups"
"github.com/dexidp/dex/pkg/httpclient"
"github.com/dexidp/dex/pkg/log"
)
@ -50,7 +51,8 @@ type Config struct {
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`
InsecureEnableGroups bool `json:"insecureEnableGroups"`
AllowedGroups []string `json:"allowedGroups"`
// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
// within the Authentication Request that the Authorization Server is being requested to use for
@ -180,6 +182,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
httpClient: httpClient,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
allowedGroups: c.AllowedGroups,
acrValues: c.AcrValues,
getUserInfo: c.GetUserInfo,
promptType: c.PromptType,
@ -207,6 +210,7 @@ type oidcConnector struct {
httpClient *http.Client
insecureSkipEmailVerified bool
insecureEnableGroups bool
allowedGroups []string
acrValues []string
getUserInfo bool
promptType string
@ -425,6 +429,18 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
}
}
}
// Validate that the user is part of allowedGroups
if len(c.allowedGroups) > 0 {
groupMatches := groups_pkg.Filter(groups, c.allowedGroups)
if len(groupMatches) == 0 {
// No group membership matches found, disallowing
return identity, fmt.Errorf("user not a member of allowed groups")
}
groups = groupMatches
}
}
cd := connectorData{

Write Preview
Loading…
Cancel
Save