Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ feat: Add custom fields & role assignment to OpenID strategy #5612

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

✨ feat: Add custom fields & role assignment to OpenID strategy #5612

wants to merge 14 commits into from
+288 −3

Conversation

rubentalstra
Copy link
Collaborator

@rubentalstra rubentalstra commented Feb 2, 2025
edited
Loading

Summary

Closes: #4670 #4362 #4354

feat: This Pull Request introduces comprehensive OpenID Connect (OIDC) support with enhanced user data handling and role assignment. Key changes include:

  • Environment Configuration: Updated .env.example with new environment variables for OpenID integration.
  • User Schema Enhancements: Modified userSchema.js to support additional fields for storing custom OpenID data.
  • Data Mappers Implementation: Added openidDataMapper.js with provider-specific mappers for Microsoft, AWS Cognito, and Keycloak to effectively fetch and map custom OpenID data.
  • OpenID Strategy Configuration: Enhanced openidStrategy.js to:
    • Utilize new data mappers for custom field extraction.
    • Enforce role-based access control, including dynamic system role assignment (admin vs. user) based on token-derived roles.
    • Manage user avatars by downloading and processing images based on OpenID data.
  • Dependency Updates: Updated package.json and package-lock.json with the necessary libraries for full OpenID functionality.
  • Type Definitions: Updated TypeScript types in types.ts to support custom OpenID data mappings.

Change Type

  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

Testing

  • Currently, only the Microsoft provider has been tested and is fully working.

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented any complex areas in my code
  • I have updated documentation accordingly
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes
  • A pull request for updating the documentation has been submitted

@rubentalstra rubentalstra mentioned this pull request Feb 2, 2025
Closed
10 tasks
@rubentalstra rubentalstra linked an issue Feb 3, 2025 that may be closed by this pull request
Enhancement: OAUTH/OIDC - enable mapping of JWT claims to user roles #4670
Open
1 task
@rubentalstra rubentalstra mentioned this pull request Feb 4, 2025
Closed
7 tasks
@geodanchev
Copy link

Hi @rubentalstra. I closed my pull request because you are right that we both want the same think. I went through the documentation as well and there you say that aws_cognito is available but I see only Microsoft implementation. Is there something I'm missing?

@rubentalstra
Copy link
Collaborator Author

Hi @geodanchev. it's all good. I can't test aws_cognito so I removed it from the code. but if there is someone who could test it then that would be great.

@geodanchev
Copy link

What about the documentation pull request

@rubentalstra
Copy link
Collaborator Author

rubentalstra commented Feb 6, 2025
edited
Loading

still need to remove it 😉

geodanchev
geodanchev reviewed Feb 6, 2025
View reviewed changes
api/strategies/openidStrategy.js

const token = requiredRoleTokenKind === 'access' ? tokenset.access_token : tokenset.id_token;
const decodedToken = safeDecode(token);
const tokenBasedRoles = extractRolesFromToken(decodedToken, requiredRoleParameterPath);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the variable tokenBasedRoles can be set only once before the if (process.env.OPENID_CUSTOM_DATA) block if you refactor the code slightly. Currently, tokenBasedRoles is being set twice, once inside the if block and once outside of it. This redundancy can be avoided.

geodanchev
geodanchev reviewed Feb 6, 2025
View reviewed changes
api/strategies/openidStrategy.js
const token = requiredRoleTokenKind === 'access' ? tokenset.access_token : tokenset.id_token;
const decodedToken = safeDecode(token);
const tokenBasedRoles = extractRolesFromToken(decodedToken, requiredRoleParameterPath);
const isAdmin = tokenBasedRoles.includes(adminRole);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have multiple adminRoles that at the end will make the user admin? Or it is not a good idea ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geodanchev geodanchev geodanchev left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhancement: OAUTH/OIDC - enable mapping of JWT claims to user roles
2 participants
@rubentalstra @geodanchev