Feature request: search in roles claim for role

ether / ep_openid_connect

Etherpad plugin to authenticate users against an OpenID Connect provider

Other

5 stars 8 forks source link

Feature request: search in roles claim for role #44

Closed GodMod closed 2 years ago

GodMod commented 2 years ago

IDPs like Keycloak provide a "roles" claim, like this:

[...]
  "realm": "sso",
  "roles": [
    "user",
    "application_admin",
    "etherpad_admin"
  ],
  "sub": "12345678"

It would be great if we can define that when user has role "etherpad_admin", that the user flag "is_admin" is set. Currently, only checking if specific claims are set is possible.

rhansen commented 2 years ago

Is it difficult to add custom claims in Keycloak? If it's easy to add custom claims, then I hesitate to add more code to this plugin.

Marmelatze commented 2 years ago

This can be solved by a keycloak client scope mapper with a custom script: Bildschirmfoto 2022-04-25 um 08 09 57

Script:

/**
 * Available variables: 
 * user - the current user
 * realm - the current realm
 * token - the current token
 * userSession - the current userSession
 * keycloakSession - the current keycloakSession
 */

var client = keycloakSession.getContext().getClient();

var role = realm.getRole("admin");

exports = user.hasRole(role);

GodMod commented 2 years ago

Perfect, thank you @Marmelatze