Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

set ngx.ctx.authenticated_groups if groups claim is present #132

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

knackaron
Copy link

This inspects the token retrieved from the OIDC provider, checks if the groups claim is present, and then sets the appropriate variable in the NGINX context so that other Kong plugins, such as the bundled ACL plugin can make authorization decisions based on the user's group vector.

This is following up on @Trojan295's ask for adding more information to the context (#15 (comment)).

enables the use of Kong authorization plugins, such as the bundled
"acl plugin

Signed-off-by: Aron Parsons <aron@knackworks.com>
@Logunov
Copy link

Logunov commented Mar 6, 2020

s/ngx.ctx.authenticated_groups/kong.ctx.shared.authenticated_groups/g

@RaVbaker
Copy link

Any chance @phirvone to get this merged?

Copy link

@RaVbaker RaVbaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proposed missing setup for the authenticated_groups value setting. As this is the actual place from which the ACL is taking the value out

https://github.com/Kong/kong/blob/8ee57d885756322bc89e31fa997132d74491beee/kong/plugins/acl/groups.lua#L139

@@ -45,6 +45,10 @@ ngx.ctx.authenticated_consumer = {
}
```

The plugin will try to retrieve the user's groups from a field in the token (default `groups`)
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions
and set `kong.ctx.shared.authenticated_groups` so that Kong authorization plugins can make decisions

@@ -85,6 +86,12 @@ function M.injectUser(user)
ngx.req.set_header("X-Userinfo", ngx.encode_base64(userinfo))
end

function M.injectGroups(user, claim)
if user[claim] ~= nil then
ngx.ctx.authenticated_groups = user[claim]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ngx.ctx.authenticated_groups = user[claim]
kong.ctx.shared.authenticated_groups = user[claim]

RaVbaker referenced this pull request in revomatico/kong-oidc Apr 24, 2020
@cristichiru
Copy link

Implemented in my fork, Revomatico/kong-oidc.

I do not have this use case, so please test it and let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants