oidc: Add roles claim and bound role

With this you can deny the user from logging in, if a needed group is not included in the claims.
2021-06-30 14:32:30 +02:00 · 2021-06-30 14:32:30 +02:00 · feeef0ceae
commit feeef0ceae
parent db12786b27
2 changed files with 31 additions and 1 deletions
--- a/peertube-plugin-auth-openid-connect/README.md
+++ b/peertube-plugin-auth-openid-connect/README.md
@ -9,3 +9,5 @@ l'Éducation et de la Jeunesse" (french Ministry of National Education).

 The callback URL to configure on the OIDC provider side is: <your-instance-url>/plugins/auth-openid-connect/router/code-cb
 If you don't specifie a role attribute new users will have a 'User' role by default. If you use this attribute it should hold an integer from this set of values: 0 (Administrator), 1 (Moderator), 2 (User).
+
+With `group-property` and `allowed-group` you can allow only a subset of users to login.
--- a/peertube-plugin-auth-openid-connect/main.js
+++ b/peertube-plugin-auth-openid-connect/main.js
@ -94,6 +94,22 @@ async function register ({
    private: true
  })

+  registerSetting({
+    name: 'group-property',
+    label: 'Group property',
+    type: 'input',
+    private: true,
+    descriptionHTML: 'Property/claim that contains a users groups'
+  })
+
+  registerSetting({
+    name: 'allowed-group',
+    label: 'Allowed group',
+    type: 'input',
+    private: true,
+    descriptionHTML: 'Will only allow login for users whose group array contains this group'
+  })
+
  const router = getRouter()
  router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))

@ -249,7 +265,9 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
      'mail-property',
      'username-property',
      'display-name-property',
-      'role-property'
+      'role-property',
+      'group-property',
+      'allowed-group'
    ])

    logger.debug('Got userinfo from openid auth.', { userInfo, settings })
@ -267,6 +285,16 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
      }
    }

+    if (settings['group-property'] && settings['allowed-group']) {
+      let roles = userInfo[settings['group-property']]
+      if (!roles.includes(settings['allowed-group'])) {
+        throw {
+          name: "AllowedGroupNotFound",
+          message: "User is not in allowed group"
+        }
+      }
+    }
+
    let displayName
    if (settings['display-name-property']) {
      displayName = userInfo[settings['display-name-property']]