search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 553 forks source link

Allow custom claim parser during OIDC login procedure for teams resolution #3908

Open otbe opened 3 months ago

otbe commented 3 months ago

Current Behavior

Right now we can configure ALPINE_OIDC_TEAMS_CLAIM and specify the claim that carries the group/team association of a person that logs in. This currently only works if this claim is a list of strings. Certain environments do not support this properly, for example if you connect an Azure AD to AWS Cognito and then sign in via OIDC into Dependency Track the original AD groups are mapped to a claim like "custom:groups", however Cognito only supports strings there. That means we end up with ID token claims like this

{
  "cognito:groups":["cognitoCreatedGroupForAllUsers"],
  "custom:groups: "[uuid1, uuid2, uuid3]"
}

I would like to be able to make use of our "custom:groups" claim to map it to DT teams at the end.

Proposed Behavior

I can imagine two ways of solving this.

  1. Create a way to allow users to inject custom claim parsers. If this would be a regular java library one could create an interface and let people register custom parsers for arbitrary fields. I have a hard time imagining how this could be achieved in the current docker based distribution.

  2. Create a special "relaxedGroupClaimParser" flag. This could be implemented in a way that

    • if its a list of strings then continue as before
    • if its a string then trim it, remove [], split it by ",", trim the result list (stuff like this)

Checklist

nscuro commented 3 months ago

Create a special "relaxedGroupClaimParser" flag.

We could introduce a strategy flag for this. Such that users can switch between different strategies, and we can add more over time if required, without having to add new boolean flags for all of them.

I do agree that custom parsers that are to be provided via custom JARs are unnecessary and too unwieldy here.

nscuro commented 3 months ago

Note, the code that maps claims lives here in Alpine: https://github.com/stevespringett/Alpine/blob/05660dc52bbbd926133b84fac8295d386013c551/alpine-server/src/main/java/alpine/server/auth/OidcAuthenticationService.java#L128-L135