From 0981ec30c3d5218939d44fc2f40725b0b4a03684 Mon Sep 17 00:00:00 2001 From: zeripath Date: Tue, 14 Dec 2021 08:37:11 +0000 Subject: Add Option to synchronize Admin & Restricted states from OIDC/OAuth2 along with Setting Scopes (#16766) * Add setting to OAuth handlers to override local 2FA settings This PR adds a setting to OAuth and OpenID login sources to allow the source to override local 2FA requirements. Fix #13939 Signed-off-by: Andrew Thornton * Fix regression from #16544 Signed-off-by: Andrew Thornton * Add scopes settings Signed-off-by: Andrew Thornton * fix trace logging in auth_openid Signed-off-by: Andrew Thornton * add required claim options Signed-off-by: Andrew Thornton * Move UpdateExternalUser to externalaccount Signed-off-by: Andrew Thornton * Allow OAuth2/OIDC to set Admin/Restricted status Signed-off-by: Andrew Thornton * Allow use of the same group claim name for the prohibit login value Signed-off-by: Andrew Thornton * fixup! Move UpdateExternalUser to externalaccount * as per wxiaoguang Signed-off-by: Andrew Thornton * add label back in Signed-off-by: Andrew Thornton * adjust localisation Signed-off-by: Andrew Thornton * placate lint Signed-off-by: Andrew Thornton Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao Co-authored-by: techknowlogick --- cmd/admin.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) (limited to 'cmd') diff --git a/cmd/admin.go b/cmd/admin.go index f36e9f5de7..65a0bfb7bf 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -299,6 +299,36 @@ var ( Name: "skip-local-2fa", Usage: "Set to true to skip local 2fa for users authenticated by this source", }, + cli.StringSliceFlag{ + Name: "scopes", + Value: nil, + Usage: "Scopes to request when to authenticate against this OAuth2 source", + }, + cli.StringFlag{ + Name: "required-claim-name", + Value: "", + Usage: "Claim name that has to be set to allow users to login with this source", + }, + cli.StringFlag{ + Name: "required-claim-value", + Value: "", + Usage: "Claim value that has to be set to allow users to login with this source", + }, + cli.StringFlag{ + Name: "group-claim-name", + Value: "", + Usage: "Claim name providing group names for this source", + }, + cli.StringFlag{ + Name: "admin-group", + Value: "", + Usage: "Group Claim value for administrator users", + }, + cli.StringFlag{ + Name: "restricted-group", + Value: "", + Usage: "Group Claim value for restricted users", + }, } microcmdAuthUpdateOauth = cli.Command{ @@ -649,6 +679,12 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source { CustomURLMapping: customURLMapping, IconURL: c.String("icon-url"), SkipLocalTwoFA: c.Bool("skip-local-2fa"), + Scopes: c.StringSlice("scopes"), + RequiredClaimName: c.String("required-claim-name"), + RequiredClaimValue: c.String("required-claim-value"), + GroupClaimName: c.String("group-claim-name"), + AdminGroup: c.String("admin-group"), + RestrictedGroup: c.String("restricted-group"), } } @@ -711,6 +747,28 @@ func runUpdateOauth(c *cli.Context) error { oAuth2Config.IconURL = c.String("icon-url") } + if c.IsSet("scopes") { + oAuth2Config.Scopes = c.StringSlice("scopes") + } + + if c.IsSet("required-claim-name") { + oAuth2Config.RequiredClaimName = c.String("required-claim-name") + + } + if c.IsSet("required-claim-value") { + oAuth2Config.RequiredClaimValue = c.String("required-claim-value") + } + + if c.IsSet("group-claim-name") { + oAuth2Config.GroupClaimName = c.String("group-claim-name") + } + if c.IsSet("admin-group") { + oAuth2Config.AdminGroup = c.String("admin-group") + } + if c.IsSet("restricted-group") { + oAuth2Config.RestrictedGroup = c.String("restricted-group") + } + // update custom URL mapping var customURLMapping = &oauth2.CustomURLMapping{} -- cgit v1.2.3