forked from mystiq/dex
Merge pull request #2371 from seuf/authproxy-groups-configuration
Allow configuration of returned groups via authproxy connector
This commit is contained in:
commit
5f9abc5be8
2 changed files with 24 additions and 9 deletions
|
@ -75,7 +75,7 @@ Dex implements the following connectors:
|
||||||
| [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | |
|
| [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | |
|
||||||
| [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | |
|
| [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | |
|
||||||
| [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | |
|
| [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | |
|
||||||
| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | no | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
|
| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | yes | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
|
||||||
| [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | |
|
| [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | |
|
||||||
| [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | |
|
| [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | |
|
||||||
| [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |
|
| [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |
|
||||||
|
|
|
@ -13,9 +13,14 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// Config holds the configuration parameters for a connector which returns an
|
// Config holds the configuration parameters for a connector which returns an
|
||||||
// identity with the HTTP header X-Remote-User as verified email.
|
// identity with the HTTP header X-Remote-User as verified email,
|
||||||
|
// X-Remote-Group and configured staticGroups as user's group.
|
||||||
|
// Headers retrieved to fetch user's email and group can be configured
|
||||||
|
// with userHeader and groupHeader.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
UserHeader string `json:"userHeader"`
|
UserHeader string `json:"userHeader"`
|
||||||
|
GroupHeader string `json:"groupHeader"`
|
||||||
|
Groups []string `json:"staticGroups"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Open returns an authentication strategy which requires no user interaction.
|
// Open returns an authentication strategy which requires no user interaction.
|
||||||
|
@ -24,14 +29,20 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
|
||||||
if userHeader == "" {
|
if userHeader == "" {
|
||||||
userHeader = "X-Remote-User"
|
userHeader = "X-Remote-User"
|
||||||
}
|
}
|
||||||
|
groupHeader := c.GroupHeader
|
||||||
|
if groupHeader == "" {
|
||||||
|
groupHeader = "X-Remote-Group"
|
||||||
|
}
|
||||||
|
|
||||||
return &callback{userHeader: userHeader, logger: logger, pathSuffix: "/" + id}, nil
|
return &callback{userHeader: userHeader, groupHeader: groupHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Callback is a connector which returns an identity with the HTTP header
|
// Callback is a connector which returns an identity with the HTTP header
|
||||||
// X-Remote-User as verified email.
|
// X-Remote-User as verified email.
|
||||||
type callback struct {
|
type callback struct {
|
||||||
userHeader string
|
userHeader string
|
||||||
|
groupHeader string
|
||||||
|
groups []string
|
||||||
logger log.Logger
|
logger log.Logger
|
||||||
pathSuffix string
|
pathSuffix string
|
||||||
}
|
}
|
||||||
|
@ -55,11 +66,15 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
|
||||||
if remoteUser == "" {
|
if remoteUser == "" {
|
||||||
return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
|
return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
|
||||||
}
|
}
|
||||||
// TODO: add support for X-Remote-Group, see
|
groups := m.groups
|
||||||
// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
|
headerGroup := r.Header.Get(m.groupHeader)
|
||||||
|
if headerGroup != "" {
|
||||||
|
groups = append(groups, headerGroup)
|
||||||
|
}
|
||||||
return connector.Identity{
|
return connector.Identity{
|
||||||
UserID: remoteUser, // TODO: figure out if this is a bad ID value.
|
UserID: remoteUser, // TODO: figure out if this is a bad ID value.
|
||||||
Email: remoteUser,
|
Email: remoteUser,
|
||||||
EmailVerified: true,
|
EmailVerified: true,
|
||||||
|
Groups: groups,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue