fix(handlers): include preferred_username claim in meta (#2829)
This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes.pull/2867/head
parent
100d598a0e
commit
ddbb21af90
|
@ -13,17 +13,17 @@ has_toc: false
|
||||||
|
|
||||||
## Currently Tested Applications
|
## Currently Tested Applications
|
||||||
|
|
||||||
| Application | Minimal Version | Notes |
|
| Application | Minimal Version | Notes |
|
||||||
| :------------: | :----------------------------: | :-----: |
|
|:----------------:|:------------------------------:|:-----------------------------------------------------------------------------------------------------------:|
|
||||||
| Gitea | `1.14.6` | |
|
| Gitea | `1.14.6` | |
|
||||||
| GitLab | `13.0.0` | |
|
| GitLab | `13.0.0` | |
|
||||||
| Grafana | `8.0.5` | |
|
| Grafana | `8.0.5` | |
|
||||||
| Hashicorp Vault| `1.8.1` | |
|
| Hashicorp Vault | `1.8.1` | |
|
||||||
| MinIO | `RELEASE.2021-11-09T03-21-45Z` | must set `MINIO_IDENTITY_OPENID_CLAIM_NAME: groups` in MinIO and set [MinIO policies] as groups in Authelia |
|
| MinIO | `RELEASE.2021-11-09T03-21-45Z` | must set `MINIO_IDENTITY_OPENID_CLAIM_NAME: groups` in MinIO and set [MinIO policies] as groups in Authelia |
|
||||||
| Nextcloud | `22.1.0` | Tested using the `nextcloud-oidc-login` app - [Link](https://github.com/pulsejet/nextcloud-oidc-login)|
|
| Nextcloud | `22.1.0` | Tested using the `nextcloud-oidc-login` app - [Link](https://github.com/pulsejet/nextcloud-oidc-login) |
|
||||||
| Wekan | `5.41` | |
|
| Wekan | `5.41` | |
|
||||||
| Portainer CE | `2.6.1` | Settings to use username as ID: set `Scopes` to `openid` and `User Identifier` to `sub` |
|
| Portainer CE | `2.6.1` | Settings to use username as ID: set `Scopes` to `openid` and `User Identifier` to `preferred_username` |
|
||||||
| Bookstack | `21.10` | |
|
| Bookstack | `21.10` | |
|
||||||
|
|
||||||
[MinIO policies]: https://docs.min.io/minio/baremetal/security/minio-identity-management/policy-based-access-control.html#minio-policy
|
[MinIO policies]: https://docs.min.io/minio/baremetal/security/minio-identity-management/policy-based-access-control.html#minio-policy
|
||||||
|
|
||||||
|
@ -33,13 +33,13 @@ If you do not find the application in the list below, you will need to search fo
|
||||||
|
|
||||||
`<DOMAIN>` needs to be substituted with the full URL on which the application runs on. If GitLab, as an example, was reachable under `https://gitlab.example.com`, `<DOMAIN>` would be exactly the same.
|
`<DOMAIN>` needs to be substituted with the full URL on which the application runs on. If GitLab, as an example, was reachable under `https://gitlab.example.com`, `<DOMAIN>` would be exactly the same.
|
||||||
|
|
||||||
| Application | Version | Callback URL | Notes |
|
| Application | Version | Callback URL | Notes |
|
||||||
| :-----------: | :-----------------------------------: | :------------------------------------------------------: |:-----:|
|
|:---------------:|:-------------------------------------:|:------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
|
||||||
| Gitea | `1.14.6` | `<DOMAIN>/user/oauth2/authelia/callback` |`ROOT_URL` in `[server]` section of `app.ini` must be configured correctly. Typically it is `<DOMAIN>/`. The string `authelia` in the callback url is the `Authentication Name` of the configured Authentication Source in Gitea (Authentication Type: OAuth2, OAuth2 Provider: OpenID Connect).
|
| Gitea | `1.14.6` | `<DOMAIN>/user/oauth2/authelia/callback` | `ROOT_URL` in `[server]` section of `app.ini` must be configured correctly. Typically it is `<DOMAIN>/`. The string `authelia` in the callback url is the `Authentication Name` of the configured Authentication Source in Gitea (Authentication Type: OAuth2, OAuth2 Provider: OpenID Connect). |
|
||||||
| GitLab | `14.0.1` | `<DOMAIN>/users/auth/openid_connect/callback` | |
|
| GitLab | `14.0.1` | `<DOMAIN>/users/auth/openid_connect/callback` | |
|
||||||
| Hasicorp Vault| `14.0.1` | `<DOMAIN>/oidc/callback` and `<DOMAIN>/ui/vault/auth/oidc/oidc/callback` | |
|
| Hasicorp Vault | `14.0.1` | `<DOMAIN>/oidc/callback` and `<DOMAIN>/ui/vault/auth/oidc/oidc/callback` | |
|
||||||
| MinIO | `RELEASE.2021-07-12T02-44-53Z` | `<DOMAIN>/oauth_callback` | |
|
| MinIO | `RELEASE.2021-07-12T02-44-53Z` | `<DOMAIN>/oauth_callback` | |
|
||||||
| Nextcloud | `22.1.0` + `nextcloud-oidc-login` app | `<DOMAIN>/apps/oidc_login/oidc` | |
|
| Nextcloud | `22.1.0` + `nextcloud-oidc-login` app | `<DOMAIN>/apps/oidc_login/oidc` | |
|
||||||
| Wekan | `5.41` | `<DOMAIN>/_oauth_oidc` | |
|
| Wekan | `5.41` | `<DOMAIN>/_oauth_oidc` | |
|
||||||
| Portainer CE | `2.6.1` | `<DOMAIN>` | |
|
| Portainer CE | `2.6.1` | `<DOMAIN>` | |
|
||||||
| Bookstack | `21.10` | `<DOMAIN>/oidc/callback` | |
|
| Bookstack | `21.10` | `<DOMAIN>/oidc/callback` | |
|
|
@ -114,7 +114,7 @@ for which stage will have each feature, and may evolve over time:
|
||||||
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
|
<td class="tbl-beta-stage">General Availability after previous stages are vetted for bug fixes</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td rowspan="4" class="tbl-header">misc</td>
|
<td rowspan="7" class="tbl-header">misc</td>
|
||||||
<td>List of other features that may be implemented</td>
|
<td>List of other features that may be implemented</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -126,6 +126,15 @@ for which stage will have each feature, and may evolve over time:
|
||||||
<tr>
|
<tr>
|
||||||
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
|
<td class="tbl-beta-stage"><a href="https://openid.net/specs/openid-connect-session-1_0-17.html" target="_blank" rel="noopener noreferrer">OpenID Connect Session Management</a> <sup>2</sup></td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class="tbl-beta-stage">End-User Scope Grants <sup>2</sup></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class="tbl-beta-stage">Client RBAC <sup>2</sup></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class="tbl-beta-stage">Preferred Username Claim (implemented in 4.33.2)</td>
|
||||||
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
@ -133,6 +142,7 @@ for which stage will have each feature, and may evolve over time:
|
||||||
|
|
||||||
² _This individual feature has not been implemented as of yet_.
|
² _This individual feature has not been implemented as of yet_.
|
||||||
|
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
The following snippet provides a sample-configuration for the OIDC identity provider explaining each field in detail.
|
The following snippet provides a sample-configuration for the OIDC identity provider explaining each field in detail.
|
||||||
|
|
|
@ -51,11 +51,11 @@ func oidcWellKnown(ctx *middlewares.AutheliaCtx) {
|
||||||
"fragment",
|
"fragment",
|
||||||
},
|
},
|
||||||
ScopesSupported: []string{
|
ScopesSupported: []string{
|
||||||
"openid",
|
|
||||||
"offline_access",
|
"offline_access",
|
||||||
"profile",
|
oidc.ScopeOpenID,
|
||||||
"groups",
|
oidc.ScopeProfile,
|
||||||
"email",
|
oidc.ScopeGroups,
|
||||||
|
oidc.ScopeEmail,
|
||||||
},
|
},
|
||||||
ClaimsSupported: []string{
|
ClaimsSupported: []string{
|
||||||
"aud",
|
"aud",
|
||||||
|
@ -67,11 +67,12 @@ func oidcWellKnown(ctx *middlewares.AutheliaCtx) {
|
||||||
"sub",
|
"sub",
|
||||||
"auth_time",
|
"auth_time",
|
||||||
"nonce",
|
"nonce",
|
||||||
"email",
|
oidc.ClaimEmail,
|
||||||
"email_verified",
|
oidc.ClaimEmailVerified,
|
||||||
"alt_emails",
|
oidc.ClaimEmailAlts,
|
||||||
"groups",
|
oidc.ClaimGroups,
|
||||||
"name",
|
oidc.ClaimPreferredUsername,
|
||||||
|
oidc.ClaimDisplayName,
|
||||||
},
|
},
|
||||||
|
|
||||||
RequestURIParameterSupported: false,
|
RequestURIParameterSupported: false,
|
||||||
|
|
|
@ -51,7 +51,7 @@ func oidcGrantRequests(ar fosite.AuthorizeRequester, scopes, audiences []string,
|
||||||
if len(userSession.Emails) != 0 {
|
if len(userSession.Emails) != 0 {
|
||||||
extraClaims[oidc.ClaimEmail] = userSession.Emails[0]
|
extraClaims[oidc.ClaimEmail] = userSession.Emails[0]
|
||||||
if len(userSession.Emails) > 1 {
|
if len(userSession.Emails) > 1 {
|
||||||
extraClaims[oidc.ClaimAltEmails] = userSession.Emails[1:]
|
extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]
|
||||||
}
|
}
|
||||||
// TODO (james-d-elliott): actually verify emails and record that information.
|
// TODO (james-d-elliott): actually verify emails and record that information.
|
||||||
extraClaims[oidc.ClaimEmailVerified] = true
|
extraClaims[oidc.ClaimEmailVerified] = true
|
||||||
|
|
|
@ -79,9 +79,9 @@ func TestShouldGrantAppropriateClaimsForScopeOpenIDAndEmail(t *testing.T) {
|
||||||
require.Contains(t, extraClaims, oidc.ClaimEmail)
|
require.Contains(t, extraClaims, oidc.ClaimEmail)
|
||||||
assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail])
|
assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail])
|
||||||
|
|
||||||
require.Contains(t, extraClaims, oidc.ClaimAltEmails)
|
require.Contains(t, extraClaims, oidc.ClaimEmailAlts)
|
||||||
assert.Len(t, extraClaims[oidc.ClaimAltEmails], 1)
|
assert.Len(t, extraClaims[oidc.ClaimEmailAlts], 1)
|
||||||
assert.Contains(t, extraClaims[oidc.ClaimAltEmails], "admin@authelia.com")
|
assert.Contains(t, extraClaims[oidc.ClaimEmailAlts], "admin@authelia.com")
|
||||||
|
|
||||||
require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
|
require.Contains(t, extraClaims, oidc.ClaimEmailVerified)
|
||||||
assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])
|
assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified])
|
||||||
|
|
|
@ -15,5 +15,5 @@ const (
|
||||||
ClaimPreferredUsername = "preferred_username"
|
ClaimPreferredUsername = "preferred_username"
|
||||||
ClaimEmail = "email"
|
ClaimEmail = "email"
|
||||||
ClaimEmailVerified = "email_verified"
|
ClaimEmailVerified = "email_verified"
|
||||||
ClaimAltEmails = "alt_emails"
|
ClaimEmailAlts = "alt_emails"
|
||||||
)
|
)
|
||||||
|
|
Loading…
Reference in New Issue