Closed AndreasA closed 3 days ago
Hi Andreas,
we already planned implementing ways to fine tune the role assignment, to allow assigning roles or granting access on basis of the access token or another request using the access token. That way, you would be able to deny access or assign different roles based on the groups the user is assigned to in your IDP. However, this will be a feature we will implement after the 6.5 update, which will include some refactoring and cleanup.
If you need it right now, you could decorate Heptacom\AdminOpenAuth\Component\Provider\OpenIdConnectClient::getUser
.
We just released the first beta for the dynamic role assignment (6.0.0-beta.1). For now we only support this feature using SAML2. For 6.1.0 we plan to implement this also for OIDC based providers. However, feel free to create a PR for this. The feature itself is is implemented and only needs extension for OIDC.
We rescheduled a bit and were already able to provide rules that are based on an authorized GET request to an endpoint of your choice. For Azure this has been already implemented as out-of-the-box rule. For Google you could either use the existing "authorized request rule" or create your own. Of course we would be happy if you'd share this as PR, in case you add a rule for Google Cloud.
Thanks for the feedback. Currently I have no time to try out the new version and these rules etc. but I will try to make some time for it sometime next year 😄
We just released 6.0.0, so the mentioned features are now in a stable version
@silviokennecke Sorry for the delayed response, just wondering, do you know which Google API would be best utilized for this currently in combination with the SSO Login provider?
Plugin Version
4.2.1
PHP Version
8.1
Shopware Version
6.4.18.1
Installation method
Composer
Identity provider
Google Cloud
What happened?
Oauth2 provider in google cloud is very limited regarding restricting which users have access (see also https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/issues/10)
From what I can gather, it would, however, be possible to check if a user is assigned to a certain group and use that as additional indicator. however, it is not completely defualt behavior regarding login, so it should probably only be done if everything else works. See also: https://stackoverflow.com/questions/11610344/getting-all-groups-an-user-is-a-member-of-through-oauth-google
Relevant log output
No response