github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-25 09:42:10 +08:00
Code Issues Actions 24 Packages Projects Releases Wiki Activity

Added option to change the OIDC claim regarded as the ID

Browse Source 
Defined via a OIDC_EXTERNAL_ID_CLAIM env option.
For #3914
This commit is contained in:
Dan Brown 2023-01-26 16:43:15 +00:00
parent 3202f96181
commit 811be3a36a
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.env.example.complete
View File

@ -268,6 +268,7 @@ OIDC_DUMP_USER_DETAILS=false
OIDC_USER_TO_GROUPS=false OIDC_USER_TO_GROUPS=false
OIDC_GROUPS_CLAIM=groups OIDC_GROUPS_CLAIM=groups
OIDC_REMOVE_FROM_GROUPS=false OIDC_REMOVE_FROM_GROUPS=false
OIDC_EXTERNAL_ID_CLAIM=sub
# Disable default third-party services such as Gravatar and Draw.IO # Disable default third-party services such as Gravatar and Draw.IO
# Service-specific options will override this option # Service-specific options will override this option

3
app/Auth/Access/Oidc/OidcService.php
View File

@ -198,7 +198,8 @@ class OidcService
*/ */
protected function getUserDetails(OidcIdToken $token): array protected function getUserDetails(OidcIdToken $token): array
{ {
$id = $token->getClaim('sub'); $idClaim = $this->config()['external_id_claim'];
$id = $token->getClaim($idClaim);
return [ return [
'external_id' => $id, 'external_id' => $id,

5
app/Config/oidc.php
View File

@ -8,9 +8,12 @@ return [
// Dump user details after a login request for debugging purposes // Dump user details after a login request for debugging purposes
'dump_user_details' => env('OIDC_DUMP_USER_DETAILS', false), 'dump_user_details' => env('OIDC_DUMP_USER_DETAILS', false),
// Attribute, within a OpenId token, to find the user's display name // Claim, within an OpenId token, to find the user's display name
'display_name_claims' => explode('|', env('OIDC_DISPLAY_NAME_CLAIMS', 'name')), 'display_name_claims' => explode('|', env('OIDC_DISPLAY_NAME_CLAIMS', 'name')),
// Claim, within an OpenID token, to use to connect a BookStack user to the OIDC user.
'external_id_claim' => env('OIDC_EXTERNAL_ID_CLAIM', 'sub'),
// OAuth2/OpenId client id, as configured in your Authorization server. // OAuth2/OpenId client id, as configured in your Authorization server.
'client_id' => env('OIDC_CLIENT_ID', null), 'client_id' => env('OIDC_CLIENT_ID', null),

20
tests/Auth/OidcTest.php
View File

@ -42,6 +42,7 @@ class OidcTest extends TestCase
'oidc.user_to_groups' => false, 'oidc.user_to_groups' => false,
'oidc.groups_claim' => 'group', 'oidc.groups_claim' => 'group',
'oidc.remove_from_groups' => false, 'oidc.remove_from_groups' => false,
'oidc.external_id_claim' => 'sub',
]); ]);
} }
@ -391,6 +392,25 @@ class OidcTest extends TestCase
$this->assertTrue(auth()->check()); $this->assertTrue(auth()->check());
} }
public function test_auth_uses_configured_external_id_claim_option()
{
config()->set([
'oidc.external_id_claim' => 'super_awesome_id',
]);
$roleA = Role::factory()->create(['display_name' => 'Wizards']);
$resp = $this->runLogin([
'email' => 'benny@example.com',
'sub' => 'benny1010101',
'super_awesome_id' => 'xXBennyTheGeezXx',
]);
$resp->assertRedirect('/');
/** @var User $user */
$user = User::query()->where('email', '=', 'benny@example.com')->first();
$this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id);
}
public function test_login_group_sync() public function test_login_group_sync()
{ {
config()->set([ config()->set([