search

lawliet89 / rowdy

A Rocket based JSON Web Token authentication server.
https://lawliet89.github.io/rowdy/
Apache License 2.0
32 stars 7 forks source link

Allow user to pass in the scope he wants returned #38

Open xkjyeah opened 7 years ago

xkjyeah commented 7 years ago

Here's a sample of the fields available:

('CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
  {'accountExpires': ['9223372036854775807'],
   'badPasswordTime': ['131408687478170480'],
   'badPwdCount': ['0'],
   'cn': ['Daniel Sim'],
   'codePage': ['0'],
   'company': ['GovTech'],
   'countryCode': ['0'],
   'dSCorePropagationData': ['20160928023533.0Z',
    '20160928020831.0Z',
    '16010101000001.0Z'],
   'department': ['DSD'],
   'displayName': ['Daniel Sim'],
   'distinguishedName': ['CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'givenName': ['Daniel Sim'],
   'instanceType': ['4'],
   'lastLogoff': ['0'],
   'lastLogon': ['131408688359644108'],
   'lastLogonTimestamp': ['131408636685082554'],
   'lockoutTime': ['0'],
   'logonCount': ['0'],
   'mail': ['daniel_sim@example.gov.sg'],
   'memberOf': ['CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
    'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'name': ['Daniel Sim'],
   'objectCategory': ['CN=Person,CN=Schema,CN=Configuration,DC=dsd,DC=example,DC=gov,DC=sg'],
   'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
   'objectGUID': ['P\xebV\xe5\xaebYB\xa5)\xf6\x93[ \x12^'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\xcf\x13\x90\n\xfe,\xe0\xb7y\x98\xa5\\\x04\x00\x00'],
   'physicalDeliveryOfficeName': ['X'],
   'primaryGroupID': ['513'],
   'pwdLastSet': ['131408636244939448'],
   'sAMAccountName': ['daniel_sim'],
   'sAMAccountType': ['805306368'],
   'uSNChanged': ['55404'],
   'uSNCreated': ['12915'],
   'userAccountControl': ['512'],
   'userPrincipalName': ['daniel_sim@dsd.example.gov.sg'],
   'whenChanged': ['20170602075428.0Z'],
   'whenCreated': ['20160928020831.0Z']}),

If the user specifies scope=userPrincipalName,memberOf,mail, the JSON web token should also include the following fields:

{
    userPrincipalName: ['daniel_sim@dsd.example.gov.sg'],
    memberOf: [
        'CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
        'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'
    ],
    mail: ['daniel_sim@example.gov.sg']
}

This way, we can perform group checks without hitting the LDAP server

Relevant line of code: https://github.com/lawliet89/rowdy/blob/master/src/auth/ldap.rs#L101

lawliet89 commented 7 years ago

The scope parameter is not meant for specific use with LDAP. It was meant for specifying the resources that the user intends to access with the token. I'll see how I can do this in another manner.

xkjyeah commented 7 years ago

True... that's hacking around the scope.

However it's similar to how Auth0 does it: https://auth0.com/docs/scopes/current

On Mon, Jun 5, 2017 at 9:23 AM, Yong Wen Chua notifications@github.com wrote:

The scope parameter is not meant for specific use with LDAP. It was meant for specifying the resources that the user intends to access with the token. I'll see how I can do this in another manner.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lawliet89/rowdy/issues/38#issuecomment-306082041, or mute the thread https://github.com/notifications/unsubscribe-auth/ACiTR5z3aK2zkJ97d1LRPkx6wQVQAYuSks5sA1h0gaJpZM4NuDcD .