Closed mirekys closed 2 years ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
@mirekys :wave: any update on this ?
@mirekys thank you for your contribution!
Can you give us this Code change under MIT license?
according to @hodyroff We could skip the CLA check.
Please check @DeepDiver1975 s comments, address them and get the tests passing. Coding Standard and static analyzers are complaining.
Kudos, SonarCloud Quality Gate passed!
@mirekys :wave: we would like to proceed with this PR. To do so, it would be great if you could add the statement as suggested by @micbar above. It is totaly fine to just drop a comment like:
This code change is made under MIT license
. Many thanks.
This code change is made under MIT license
I also hopefully addressed all of the change requests made by @DeepDiver1975
Unless I miss something: there still seems to be a different setup for the update scenario.
Why would the initial provisioning use different attributes compared to the update case?
Maintaining two configs is error prone for my understanding.
This has already been asked for in https://github.com/owncloud/openidconnect/pull/222#discussion_r836773549
Please let me know if there are any questions or missunderstandings - thx
I reduced and moved the configs needed for the update scenario to the following config options: https://github.com/owncloud/openidconnect/pull/222/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R130-R136
Everything should now be under an already existing auto-provision
config section, and the current state of the PR only adds a way to toggle auto-update mode and to tell, which of the user provisioning attributes should be auto-updated (e.g. one may want to configure only email attribute to be auto-updated while leaving displayName untouched after the first-time provisioning). Apart from this, it shouldn't be using any different provisioning attribute configs just for doing auto-updates.
Could you please point me to the code parts where it still causes misunderstandings, or maybe specify, how the configuration for this should look? Thanks a lot :)
Could you please point me to the code parts where it still causes misunderstandings, or maybe specify, how the configuration for this should look? Thanks a lot :)
Config example in readme still has attributes under update. THX
Could you please point me to the code parts where it still causes misunderstandings, or maybe specify, how the configuration for this should look? Thanks a lot :)
Config example in readme still has attributes under update. THX
Could you please point me to the code parts where it still causes misunderstandings, or maybe specify, how the configuration for this should look? Thanks a lot :)
Config example in readme still has attributes under update. THX
Yep, but this update->attributes
option has a different meaning from auto-provision
options (mappings of claims to user attributes) and is related to auto-update mode only. It is just a whitelist of user attributes, that will be updated with fresh oidc data upon each user log-in. Any other user attribute not in this list won't be touched after the initial user provisioning.
We could simplify it by throwing it away and saying that if the update
mode is enabled, we simply update all of the user attributes upon each log-in.
Should I move/rename the option to something else that better describes its meaning? Or does it sound better to go with the simplest solution for now and drop it? 🙂
Yep, but this
update->attributes
option has a different meaning fromauto-provision
options (mappings of claims to user attributes) and is related to auto-update mode only. It is just a whitelist of user attributes, that will be updated with fresh oidc data upon each user log-in. Any other user attribute not in this list won't be touched after the initial user provisioning.We could simplify it by throwing it away and saying that if the
update
mode is enabled, we simply update all of the user attributes upon each log-in.Should I move/rename the option to something else that better describes its meaning? Or does it sound better to go with the simplest solution for now and drop it? slightly_smiling_face
Now I understand - thanks! Sorry took a while to understand. :see_no_evil:
What would be a reasonable scenario where only some attributes shall be updated?
If there is none - I'd vote for removing this attributes whitelist - THX a lot
Yep, but this
update->attributes
option has a different meaning fromauto-provision
options (mappings of claims to user attributes) and is related to auto-update mode only. It is just a whitelist of user attributes, that will be updated with fresh oidc data upon each user log-in. Any other user attribute not in this list won't be touched after the initial user provisioning. We could simplify it by throwing it away and saying that if theupdate
mode is enabled, we simply update all of the user attributes upon each log-in. Should I move/rename the option to something else that better describes its meaning? Or does it sound better to go with the simplest solution for now and drop it? slightly_smiling_faceNow I understand - thanks! Sorry took a while to understand. 🙈
What would be a reasonable scenario where only some attributes shall be updated?
If there is none - I'd vote for removing this attributes whitelist - THX a lot
It may make sense after the user group membership auto-update is implemented, as one may want to handle group memberships of users differently (e.g. manually/statically). In such cases preventing it from being constantly auto-updated from oidc would be desirable. But as of current implementation, I see the point that this option is unnecessary & excessive
Kudos, SonarCloud Quality Gate passed!
Hmm, is #278 something we overlooked here?
WIP
Description
This PR introduces the
auto-update
mode, that updates user's account information from OIDC userInfo data after successful authentication.Related Issue
Motivation and Context
auto-provision
mode ofopenid-connect
app creates user account from OIDC claims, but after that, there is currently no way to further update account information, whenever claims coming from an OIDC provider change over time (e. g. user changes an e-mail contact at the provider).How Has This Been Tested?
Unit tests added for the following scenarios:
Types of changes
[ ] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] Technical debt
[x] Tests
Adds the new configuration section:
Adds the new
AccountUpdateService
(withupdateAccountInfo(IUser $user, $userInfo, bool $force = false)
AutoProvisioningService
andClient
refactored to faciliate code reuseChecklist:
Open tasks: