Closed HarryKodden closed 4 weeks ago
I cannot reproduce this. With a fresh demo seed (with the cloud service set to free for all), the user urn:user_suspend_warning
is not a member of any CO, yet he is allowed to log in:
╰─▶ curl -u sysread:secret -X POST -H "Content-Type: application/json" http://localhost:3000/api/users/proxy_authz -d '{"user_id": "urn:user_suspend_warning", "service_id": "https://cloud", "issuer_id": "https://idp.test"}'
{
"attributes": {
"eduPersonEntitlement": [],
"eduPersonPrincipalName": [
"user_suspend_warning@test.sram.surf.nl"
],
"sshkey": [],
"uid": [
"user_suspend_warning"
]
},
"status": {
"result": "authorized"
}
}
It is broken though for users who are unknown in SBS:
╰─▶ curl -u sysread:secret -X POST -H "Content-Type: application/json" http://localhost:3000/api/users/proxy_authz -d '{"user_id": "urn:gandalf", "service_id": "https://cloud", "issuer_id": "https://idp.test"}'
{
"status": {
"error_status": 1,
"redirect_url": "http://localhost:3000/service-denied?service_name=Cloud&error_status=1&entity_id=https%3A%2F%2Fcloud&issuer_id=https%3A%2F%2Fidp.test&user_id=urn%3Agandalf",
"result": "unauthorized"
}
}
Should be fixed on the SBS side in https://github.com/SURFscz/SBS/tree/feature/login-freeride but there turns out to be a blocking issue in EduTEAMS, causing the user to end up at a "You are already a member of this VO" screen at Perun. Reported to eduTEAMS as TT#2024060534000194
continues in #1463
We want to allow login to a Service to anyone. It is up to the Service to inspect the Userinfo offered by SRAM to validate and decide what this SRAM Authenticated user is allowed to do in the Service. For example: Inspect the entitlements claim of the userinfo, see that the user is missing a certain entitlment and then initiate an invitation to that user to become member of a certain CO.
Expected behavior:
Observed beaviour: