Closed daniellienert closed 4 years ago
bwaidelich
commented
4 years ago Isn't the idea of this package to authenticate accounts that are not persisted. In the core functionality you can specify the roles via Settings or allow the JWT to specify them via a configurable claim. What is the usecase for another layer that is based on some persistent account?
daniellienert
commented
4 years ago Hey @bwaidelich, I expected this question :)
In the current project we are authenticate via OIDC against an MS AD with a pretty large user base. Configuring Neos backend roles (and there will be many...) in the AD is not an option (and would be rather inconvenient). So a persisted backend user with limited access is created on first login and roles are assigned by Admins and UserManagers within the Neos backend. Statically configured roles from settings are also not an option of course.
So once configured, the user should get the roles assigned to the persisted account.
I understand that my approach is against the concept here. Any suggestions? What do you think about just adding an extension point to manipulate the roles before the Transient Account is created?
bwaidelich
commented
4 years ago @daniellienert Thanks for clarifying!
What do you think about just adding an extension point to manipulate the roles before the Transient Account is created?
Yes, I think that's a good idea. But obviously I'm merely a bystander and don't maintain this package :)
robertlemke
commented
4 years ago I opened a new PR (#17) as I couldn't push to this one.
If an account is authenticated which already exists in the local account storage, the roles assigned to the local account are merged with the statically configured roles / the roles fetched from claims and added to the transient account.