search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
900 stars 94 forks source link

[Feat]: Allow specifying user and group scopes with OIDC authentication #2523

Open AndersBennedsgaard opened 3 months ago

AndersBennedsgaard commented 3 months ago

Is your feature request related to a problem? Please describe.

It should be possible to specify which claim to use for the user ID. Some users might want to use email, others might want to use sub. Additionally, it should be possible to select a claim which is used for groups. This is already possible with LDAP: https://github.com/project-zot/zot/blob/002ff05f6e5ab3870aca75e616e8a4ed9b4a5c68/pkg/api/config/config.go#L165

Describe the solution you'd like

Add userclaim and groupsclaim to OIDC provider config

Describe alternatives you've considered

No response

Additional context

No response

rchincha commented 3 months ago

@AndersBennedsgaard thanks for doing a thorough evaluation and identifying improvements for zot. We would also respectfully urge you to consider posting PRs.

AndersBennedsgaard commented 3 months ago

I have opened PRs in OSS projects before which have been closed with a "we do not agree with this" explanation. So I don't create PRs before I get an approval from the developers that it is something they want. If you do think it's a good improvement, and wouldn't mind contributions for it, you can say that you agree and add the https://github.com/project-zot/zot/labels/good%20first%20issue label