Restrict access based on OAuth/OpenID Group membership

smhaller / ldap-overleaf-sl

Free LDAP and OAuth2 Authentication and Authorisation for Sharelatex / Overleaf (Community Edition)

GNU Affero General Public License v3.0

71 stars 34 forks source link

Restrict access based on OAuth/OpenID Group membership #46

Open xathon opened 9 months ago

xathon commented 9 months ago

It would be great to have the possibility to restrict logins to a specific group listed in the /userinfo endpoint on OpenID/Oauth.

smhaller commented 9 months ago

For LDAP you have this possibility:

LDAP_USER_FILTER / LDAP_ADMIN_GROUP_FILTER or do you mean something different?

xathon commented 9 months ago

🤦 I missed that this was possible. I am using it with Oauth, where it's not possible, and I totally missed that this is already supported with LDAP, apologies.

smhaller commented 9 months ago

no problem :) - if you have time to implement this for OAUTH you could create a pull request ;)

yzx9 commented 9 months ago

Based on my understanding, the ID Token in the OAuth2/OIDC protocol does not inherently include group or role claims. As a workaround, I suggest implementing group filtering directly within the OAuth2/OIDC provider, such as through client roles in KeyCloak. This approach allows for more streamlined and effective role management within the authentication process.