Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set ngx.ctx.authenticated_groups if groups claim is present #132

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

set ngx.ctx.authenticated_groups if groups claim is present #132

wants to merge 1 commit into from

Conversation

knackaron
Copy link

This inspects the token retrieved from the OIDC provider, checks if the groups claim is present, and then sets the appropriate variable in the NGINX context so that other Kong plugins, such as the bundled ACL plugin can make authorization decisions based on the user's group vector.

This is following up on @Trojan295's ask for adding more information to the context (#15 (comment)).

@knackaron
set ngx.ctx.authenticated_groups if groups claim is present
1deabd0 
enables the use of Kong authorization plugins, such as the bundled
"acl plugin

Signed-off-by: Aron Parsons <[email protected]>
@Logunov
Copy link

Logunov commented Mar 6, 2020
edited
Loading

s/ngx.ctx.authenticated_groups/kong.ctx.shared.authenticated_groups/g

@RaVbaker
Copy link

Any chance @phirvone to get this merged?

RaVbaker
RaVbaker suggested changes Apr 24, 2020
View reviewed changes
Copy link

@RaVbaker RaVbaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proposed missing setup for the authenticated_groups value setting. As this is the actual place from which the ACL is taking the value out

https://github.com/Kong/kong/blob/8ee57d885756322bc89e31fa997132d74491beee/kong/plugins/acl/groups.lua#L139

README.md
@@ -45,6 +45,10 @@ ngx.ctx.authenticated_consumer = {
}
```

The plugin will try to retrieve the user's groups from a field in the token (default `groups`)
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions
and set `kong.ctx.shared.authenticated_groups` so that Kong authorization plugins can make decisions

kong/plugins/oidc/utils.lua
@@ -85,6 +86,12 @@ function M.injectUser(user)
ngx.req.set_header("X-Userinfo", ngx.encode_base64(userinfo))
end

function M.injectGroups(user, claim)
if user[claim] ~= nil then
ngx.ctx.authenticated_groups = user[claim]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ngx.ctx.authenticated_groups = user[claim]
kong.ctx.shared.authenticated_groups = user[claim]

RaVbaker referenced this pull request in revomatico/kong-oidc Apr 24, 2020
Fresh fork, used most of the features in a few forks
635dace
@cristichiru
Copy link

Implemented in my fork, Revomatico/kong-oidc.

I do not have this use case, so please test it and let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RaVbaker RaVbaker RaVbaker requested changes

@Logunov Logunov Logunov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@knackaron @Logunov @RaVbaker @cristichiru