Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support For When Single Role is a String from OIDC Token #75

Open
k----n opened this issue Jan 2, 2023 · 1 comment
Open

Support For When Single Role is a String from OIDC Token #75

k----n opened this issue Jan 2, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@k----n
Copy link

k----n commented Jan 2, 2023

We are using an OIDC authentication provider that is a non-array string with a single role.

Is this something that the project would be open have as a change?

Happy to submit a PR that will modify the following:

  1. The function below

    containerproxy/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

    Lines 238 to 275 in 5f0fa2d

    public static List<String> parseRolesClaim(Logger log, String rolesClaimName, Object claimValue) {
    if (claimValue == null) {
    log.debug(String.format("No roles claim with name %s found", rolesClaimName));
    return new ArrayList<>();
    } else {
    log.debug(String.format("Matching claim found: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
    }
    if (claimValue instanceof Collection) {
    List<String> result = new ArrayList<>();
    for (Object object : ((Collection<?>) claimValue)) {
    if (object != null) {
    result.add(object.toString());
    }
    }
    log.debug(String.format("Parsed roles claim as Java Collection: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
    return result;
    }
    if (claimValue instanceof String) {
    List<String> result = new ArrayList<>();
    try {
    Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse((String) claimValue);
    if (value instanceof List) {
    List<?> valueList = (List<?>) value;
    valueList.forEach(o -> result.add(o.toString()));
    }
    } catch (ParseException e) {
    // Unable to parse JSON
    log.debug(String.format("Unable to parse claim as JSON: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
    }
    log.debug(String.format("Parsed roles claim as JSON: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
    return result;
    }
    log.debug(String.format("No parser found for roles claim (unsupported type): %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
    return new ArrayList<>();
    }

  2. The tests below
    https://github.com/openanalytics/containerproxy/blob/5f0fa2d98d0e0014a1190f85755634a4845ee834/src/test/java/eu/openanalytics/containerproxy/test/unit/TestOpenIdParseClaimRoles.java
@LEDfan
Copy link
Member

LEDfan commented Mar 6, 2023

Hi

I'm not sure if it would be a good idea to add this. The parsing code is already relatively complex with (e.g. to support non-standard JSON). Although the change would be quite easy indeed.

Nevertheless, in the mean time you can use the access-expression feature instead: https://shinyproxy.io/documentation/spel/#access-expression

For example:

access-expression: "#{oidcUser.attributes.test_role == 'my_value'}"

I'll keep this issue open as a feature request so that we can consider it for the next release.

@LEDfan LEDfan added the enhancement New feature or request label Mar 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LEDfan @k----n