[Feature]: Google Cloud provider - option to use the member API to restrict access to users of a certain group

HEPTACOM / HeptacomShopwarePlatformAdminOpenAuth

Shopware plugin to allow open auth logins in the administration

https://www.heptacom.de/

Apache License 2.0

30 stars 10 forks source link

[Feature]: Google Cloud provider - option to use the member API to restrict access to users of a certain group #11

Closed AndreasA closed 3 days ago

AndreasA commented 1 year ago

Plugin Version

4.2.1

PHP Version

8.1

Shopware Version

6.4.18.1

Installation method

Composer

Identity provider

Google Cloud

What happened?

Oauth2 provider in google cloud is very limited regarding restricting which users have access (see also https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/issues/10)

From what I can gather, it would, however, be possible to check if a user is assigned to a certain group and use that as additional indicator. however, it is not completely defualt behavior regarding login, so it should probably only be done if everything else works. See also: https://stackoverflow.com/questions/11610344/getting-all-groups-an-user-is-a-member-of-through-oauth-google

Relevant log output

No response

silviokennecke commented 1 year ago

Hi Andreas,

we already planned implementing ways to fine tune the role assignment, to allow assigning roles or granting access on basis of the access token or another request using the access token. That way, you would be able to deny access or assign different roles based on the groups the user is assigned to in your IDP. However, this will be a feature we will implement after the 6.5 update, which will include some refactoring and cleanup.

If you need it right now, you could decorate Heptacom\AdminOpenAuth\Component\Provider\OpenIdConnectClient::getUser.

silviokennecke commented 9 months ago

We just released the first beta for the dynamic role assignment (6.0.0-beta.1). For now we only support this feature using SAML2. For 6.1.0 we plan to implement this also for OIDC based providers. However, feel free to create a PR for this. The feature itself is is implemented and only needs extension for OIDC.

silviokennecke commented 9 months ago

We rescheduled a bit and were already able to provide rules that are based on an authorized GET request to an endpoint of your choice. For Azure this has been already implemented as out-of-the-box rule. For Google you could either use the existing "authorized request rule" or create your own. Of course we would be happy if you'd share this as PR, in case you add a rule for Google Cloud.

AndreasA commented 8 months ago

Thanks for the feedback. Currently I have no time to try out the new version and these rules etc. but I will try to make some time for it sometime next year 😄

silviokennecke commented 8 months ago

We just released 6.0.0, so the mentioned features are now in a stable version

AndreasA commented 2 days ago

@silviokennecke Sorry for the delayed response, just wondering, do you know which Google API would be best utilized for this currently in combination with the SSO Login provider?