matty/peertube-theme-nctv-dark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

oidc: Add roles claim and bound role

Browse Source 
With this you can deny the user from logging in, if a needed group is not
included in the claims.
This commit is contained in:
Thorben Günther 2021-06-30 14:32:30 +02:00
parent db12786b27
commit feeef0ceae
No known key found for this signature in database
GPG Key ID: 415CD778D8C5AFED
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
peertube-plugin-auth-openid-connect/README.md
View File

@ -9,3 +9,5 @@ l'Éducation et de la Jeunesse" (french Ministry of National Education).
The callback URL to configure on the OIDC provider side is: <your-instance-url>/plugins/auth-openid-connect/router/code-cb The callback URL to configure on the OIDC provider side is: <your-instance-url>/plugins/auth-openid-connect/router/code-cb
If you don't specifie a role attribute new users will have a 'User' role by default. If you use this attribute it should hold an integer from this set of values: 0 (Administrator), 1 (Moderator), 2 (User). If you don't specifie a role attribute new users will have a 'User' role by default. If you use this attribute it should hold an integer from this set of values: 0 (Administrator), 1 (Moderator), 2 (User).
With `group-property` and `allowed-group` you can allow only a subset of users to login.

30
peertube-plugin-auth-openid-connect/main.js
View File

@ -94,6 +94,22 @@ async function register ({
private: true private: true
}) })
registerSetting({
name: 'group-property',
label: 'Group property',
type: 'input',
private: true,
descriptionHTML: 'Property/claim that contains a users groups'
})
registerSetting({
name: 'allowed-group',
label: 'Allowed group',
type: 'input',
private: true,
descriptionHTML: 'Will only allow login for users whose group array contains this group'
})
const router = getRouter() const router = getRouter()
router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res)) router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))
@ -249,7 +265,9 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
'mail-property', 'mail-property',
'username-property', 'username-property',
'display-name-property', 'display-name-property',
'role-property' 'role-property',
'group-property',
'allowed-group'
]) ])
logger.debug('Got userinfo from openid auth.', { userInfo, settings }) logger.debug('Got userinfo from openid auth.', { userInfo, settings })
@ -267,6 +285,16 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
} }
} }
if (settings['group-property'] && settings['allowed-group']) {
let roles = userInfo[settings['group-property']]
if (!roles.includes(settings['allowed-group'])) {
throw {
name: "AllowedGroupNotFound",
message: "User is not in allowed group"
}
}
}
let displayName let displayName
if (settings['display-name-property']) { if (settings['display-name-property']) {
displayName = userInfo[settings['display-name-property']] displayName = userInfo[settings['display-name-property']]