-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set ngx.ctx.authenticated_groups if groups claim is present #132
base: master
Are you sure you want to change the base?
Conversation
enables the use of Kong authorization plugins, such as the bundled "acl plugin Signed-off-by: Aron Parsons <aron@knackworks.com>
|
Any chance @phirvone to get this merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proposed missing setup for the authenticated_groups
value setting. As this is the actual place from which the ACL is taking the value out
@@ -45,6 +45,10 @@ ngx.ctx.authenticated_consumer = { | |||
} | |||
``` | |||
|
|||
The plugin will try to retrieve the user's groups from a field in the token (default `groups`) | |||
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions | |
and set `kong.ctx.shared.authenticated_groups` so that Kong authorization plugins can make decisions |
@@ -85,6 +86,12 @@ function M.injectUser(user) | |||
ngx.req.set_header("X-Userinfo", ngx.encode_base64(userinfo)) | |||
end | |||
|
|||
function M.injectGroups(user, claim) | |||
if user[claim] ~= nil then | |||
ngx.ctx.authenticated_groups = user[claim] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ngx.ctx.authenticated_groups = user[claim] | |
kong.ctx.shared.authenticated_groups = user[claim] |
Implemented in my fork, Revomatico/kong-oidc. I do not have this use case, so please test it and let me know. |
This inspects the token retrieved from the OIDC provider, checks if the
groups
claim is present, and then sets the appropriate variable in the NGINX context so that other Kong plugins, such as the bundled ACL plugin can make authorization decisions based on the user's group vector.This is following up on @Trojan295's ask for adding more information to the context (#15 (comment)).