search

Signalen / backend

Backend for Signalen, an application that helps cities manage and prioritize nuisance reports.
https://signalen.org
Mozilla Public License 2.0
5 stars 5 forks source link

Make OpenID implementation easily usable with other Identity Providers #2

Closed bartjkdp closed 4 years ago

bartjkdp commented 4 years ago

The current OpenID implementation requires the Identity Provider to set a custom scope SIG/ALL. Custom scopes are not always available in Identity Providers (e.g. Dex does not support this easily). Also scopes are normally used to scope claims on the identity provider, not for providing roles in a consuming application.

Maybe groups in ID tokens would be a better solution for this purpose? Would be nice if mappings between groups and roles can easily be done from configuration settings:

{
  "iss": "http://127.0.0.1:5556/dex",
  "sub": "CgcyMzQyNzQ5EgZnaXRodWI",
  "aud": "example-app",
  "exp": 1492882042,
  "iat": 1492795642,
  "at_hash": "bi96gOXZShvlWYtal9Eqiw",
  "email": "jane.doe@coreos.com",
  "email_verified": true,
  "groups": [
    "admins",
    "developers"
  ],
  "name": "Jane Doe"
}

See: https://github.com/dexidp/dex#id-tokens

Would be nice to also integrate Dex for testing purposes.

bartjkdp commented 4 years ago

Originally from @CBuiVNG

I had a short discussion about this topic with David. The "SIG/ALL" is used to flag users who are allowed to login to SIA. The actual authorisation is done at email-address level. The user with the matched email is retrieved from Django. The SIG/ALL check/requirement is probably unneeded. I think we can skip the custom scope all together.