Grant some default permissions on account create

[calmh]

If you check the option to create users on first login, users are indeed created and that's great. However, they will have no access to any site and instead get an error message on login. It would be fantastic if we could either specify default permissions to apply, or a template user to copy from, or a default site to view access to, or something similar.

Thanks for creating this plugin! ❤️

[lukasredev]

This would be an awesome feature to have. @dominik-th possible it could even be extended to have an option to read permission from the OIDC token?

If the token would look like

{
   ...
   "view_permissions": ["example.com", "test.com"]
   ....
}

then the view permissions on the corresponding sites would automatically be granted.

[lukasredev]

Such a feature would be great for my use case, maybe I can take some time to implement it.

[nogweii]

I'd also love the ability to set the superuser flag of an account, during provisioning and updating, via an OIDC claim. Something like:

{
  "..."
  "view_permissions": ["example.com", "test.com"],
  "is_super_user": true,
  "..."
}

[lukasredev]

@dominik-th would you accept a pull request to implement this feature?

[dominik-th]

Yes, pull requests are always welcome! 😊

Do you want to add a separate claim for each permission type?

{
  "..."
  "view_permissions": ["example1.com"],
  "write_permissions": ["example2.com"],
  "admin_permissions": ["example3.com"],
  "is_super_user": true,
  "..."
}

Will the permissions only be granted on account creation? Or should it be kept in sync?

[lukasredev]

@dominik-th so after some time I am back :) Had a very busy summer and therefore not much time to continue with my piwik setup.

I would suggest the following implementation:

• For my use-case I would like to update the permissions on every login, however it would be easy to add this as a simple configuration, so an admin could choose between the two options.
• Regarding the structure of the permissions: I am using Keycloak as the authentication server and Keycloak allows the addition and generation of arbitrary claims, therefore I don't care that much how these are structure. But I don't know if other OIDC providers have less configuration possibilites. I am currently also unaware of a standard / canonical way of adding permissions to an OIDC token, if someone is please let me know :). @dominik-th suggest is fine for me, maybe we can / should add a prefix (piwik), so it becomes:

  "piwik_view_permissions": ["example1.com"],
  "piwik_write_permissions": ["example2.com"],
  "piwik_admin_permissions": ["example3.com"],
  "piwik_is_super_user": true,

[calmh]

I'm not an expert but I think the standard-est way would be to add a roles claim and map those roles to permissions in the application. However I wouldn't quibble with the above way either as it would solve my problem. :) If so I would like to request that wildcards would apply, so that I could add for example

"piwik_view_permissions": ["*"]

to give registered users read permissions on everything by default.

[lukasredev]

@calmh I agree with you, however the mapping between roles and permissions would have to be supported on the piwik side? Or would you add this as a configuration option to the plugin? Wildcards would be nice, especially also if we can apply it to subdomains like:

piwik_view_permissions: ["*.example.com"]

[calmh]

I have no idea of matomo internals but yeah in the roles case that would be setup on the application side, perhaps by something as simple as creating a user and giving it the relevant permissions, then referring to that user as the "role".

[dejwsz]

Not a perfect solution but for the time being I just modified the plugin controller, so: plugins/LoginOIDC/Controller.php

and in the line with the call to add a user:

UsersManagerApi::getInstance()->addUser(...

I added an id of the default website with a view permission as the last parameter (just added it after an additional comma). For example you can create a dummy website during matomo deployment which gets id value "1". And later you can add it as the default website for every new user with this additional parameter. This way you can mitigate the error shown for a new user which has no permissions at all.

I just used the API definition of that method:

public function addUser($userLogin, $password, $email, $alias = false, $_isPasswordHashed = false, $initialIdSite = null)

[dejwsz]

Potentially there could be some additional configuration parameter for the plugin pointing to the id of the default website with a view permission which is set during a user creation process.

[mathiasstocker]

Another solution could be to use an expression interpreter, like the Expression Language component of Symfony https://symfony.com/doc/current/components/expression_language.html

So in the Plugin Settings could be an input field for view, write, admin and super user permission where you can put an expression which gets called with the claims as parameter and returns the domains as array (or true / false for super user). This way you are more flexible to map claims to permissions.