Skip to content

Commit

Permalink
Merge pull request #867 from luytena/oidc-user-claims
Browse files Browse the repository at this point in the history
feat(auth): make OIDC_USERNAME_CLAIM configurable
  • Loading branch information
winged authored Oct 11, 2024
2 parents 4264f66 + be82b1e commit e5ac62b
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 1 deletion.
1 change: 1 addition & 0 deletions CONFIGURATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ supporting Open ID Connect. If not available, you might consider using
- `OIDC_USERINFO_ENDPOINT`: Url of userinfo endpoint as [described](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
- `OIDC_VERIFY_SSL`: Verify ssl certificate of oidc userinfo endpoint (default: True)
- `OIDC_GROUPS_CLAIM`: Name of claim to be used to define group membership (default: document_merge_service_groups)
- `OIDC_USERNAME_CLAIM`: Name of claim to be used to define user (default: sub)
- `OIDC_BEARER_TOKEN_REVALIDATION_TIME`: Time in seconds before bearer token validity is verified again. For best security token is validated on each request per default. It might be helpful though in case of slow Open ID Connect provider to cache it. It uses [cache](#cache) mechanism for memorizing userinfo result. Number has to be lower than access token expiration time. (default: 0)

## Permissions / Visibilities
Expand Down
2 changes: 1 addition & 1 deletion document_merge_service/api/authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def __str__(self):

class AuthenticatedUser(AnonymousUser):
def __init__(self, userinfo):
self.username = userinfo["sub"]
self.username = userinfo[settings.OIDC_USERNAME_CLAIM]
groups = []
if settings.OIDC_GROUPS_CLAIM:
groups = userinfo[settings.OIDC_GROUPS_CLAIM]
Expand Down
1 change: 1 addition & 0 deletions document_merge_service/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ def parse_admins(admins):
OIDC_USERINFO_ENDPOINT = env.str("OIDC_USERINFO_ENDPOINT", default=None)
OIDC_VERIFY_SSL = env.bool("OIDC_VERIFY_SSL", default=True)
OIDC_GROUPS_CLAIM = env.str("OIDC_GROUPS_CLAIM", default="")
OIDC_USERNAME_CLAIM = env.str("OIDC_USERNAME_CLAIM", default="sub")
OIDC_BEARER_TOKEN_REVALIDATION_TIME = env.int(
"OIDC_BEARER_TOKEN_REVALIDATION_TIME", default=0
)
Expand Down

0 comments on commit e5ac62b

Please sign in to comment.