Open otbe opened 3 months ago
Create a special "relaxedGroupClaimParser" flag.
We could introduce a strategy flag for this. Such that users can switch between different strategies, and we can add more over time if required, without having to add new boolean flags for all of them.
I do agree that custom parsers that are to be provided via custom JARs are unnecessary and too unwieldy here.
Note, the code that maps claims lives here in Alpine: https://github.com/stevespringett/Alpine/blob/05660dc52bbbd926133b84fac8295d386013c551/alpine-server/src/main/java/alpine/server/auth/OidcAuthenticationService.java#L128-L135
Current Behavior
Right now we can configure
ALPINE_OIDC_TEAMS_CLAIM
and specify the claim that carries the group/team association of a person that logs in. This currently only works if this claim is a list of strings. Certain environments do not support this properly, for example if you connect an Azure AD to AWS Cognito and then sign in via OIDC into Dependency Track the original AD groups are mapped to a claim like "custom:groups", however Cognito only supports strings there. That means we end up with ID token claims like thisI would like to be able to make use of our "custom:groups" claim to map it to DT teams at the end.
Proposed Behavior
I can imagine two ways of solving this.
Create a way to allow users to inject custom claim parsers. If this would be a regular java library one could create an interface and let people register custom parsers for arbitrary fields. I have a hard time imagining how this could be achieved in the current docker based distribution.
Create a special "relaxedGroupClaimParser" flag. This could be implemented in a way that
Checklist