Introducing a sec-external-authentication flag http header to identify local vs remote users

docs/authzn.adoc

@@ -276,3 +276,14 @@ sec-roles: ROLE_ORG_6007280321;ROLE_GDI_PLANER;ROLE_GDI_EDITOR;ROLE_USER
 sec-org: 6007280321
 ```
 
+== External authentication
+Whenever an external authentication is used (OAuth2 or external IDP), a new attribute is added to Header, named :
+```
+sec-external-authentication
+```
+which is set to "true" in this case.
+
+This allows the proxified webapps to adapt their behaviour consequently:
+as an example, it does not make sense to display a password update form in the geOrchestra
+console if the user is logged in via a third party identity provider. +
+Having the flag passed in the HTTP headers allows to enable or disable such a functionality.

gateway/src/main/java/org/georchestra/gateway/accounts/admin/AccountManager.java

@@ -38,7 +38,8 @@ public interface AccountManager {
      * @param mappedUser the user {@link ResolveGeorchestraUserGlobalFilter}
      *                   resolved by calling
      *                   {@link GeorchestraUserMapper#resolve(Authentication)}
-     * @return the stored version of the user if it exists, otherwise an empty Optional
+     * @return the stored version of the user if it exists, otherwise an empty
+     *         Optional
      */
     Optional<GeorchestraUser> find(GeorchestraUser mappedUser);
 

gateway/src/main/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizer.java

@@ -81,10 +81,10 @@ public class CreateAccountUserCustomizer implements GeorchestraUserCustomizerExt
             } else {
                 user = accounts.getOrCreate(mappedUser);
             }
+            user.setIsExternalAuth(true);
             loggedInUsers.put(auth, user);
             return user;
         }
         return mappedUser;
     }
-
 }

gateway/src/main/java/org/georchestra/gateway/filter/headers/providers/GeorchestraUserHeadersContributor.java

@@ -29,6 +29,8 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.web.server.ServerWebExchange;
 
+import static org.georchestra.commons.security.SecurityHeaders.*;
+
 /**
  * Contributes user-related {@literal sec-*} request headers.
  * 
@@ -43,26 +45,28 @@ public class GeorchestraUserHeadersContributor extends HeaderContributor {
                     .map(GeorchestraTargetConfig::headers)//
                     .ifPresent(mappings -> {
                         Optional<GeorchestraUser> user = GeorchestraUsers.resolve(exchange);
-                        add(headers, "sec-userid", mappings.getUserid(), user.map(GeorchestraUser::getId));
-                        add(headers, "sec-username", mappings.getUsername(), user.map(GeorchestraUser::getUsername));
-                        add(headers, "sec-org", mappings.getOrg(), user.map(GeorchestraUser::getOrganization));
-                        add(headers, "sec-email", mappings.getEmail(), user.map(GeorchestraUser::getEmail));
-                        add(headers, "sec-firstname", mappings.getFirstname(), user.map(GeorchestraUser::getFirstName));
-                        add(headers, "sec-lastname", mappings.getLastname(), user.map(GeorchestraUser::getLastName));
-                        add(headers, "sec-tel", mappings.getTel(), user.map(GeorchestraUser::getTelephoneNumber));
+                        add(headers, SEC_USERID, mappings.getUserid(), user.map(GeorchestraUser::getId));
+                        add(headers, SEC_USERNAME, mappings.getUsername(), user.map(GeorchestraUser::getUsername));
+                        add(headers, SEC_ORG, mappings.getOrg(), user.map(GeorchestraUser::getOrganization));
+                        add(headers, SEC_EMAIL, mappings.getEmail(), user.map(GeorchestraUser::getEmail));
+                        add(headers, SEC_FIRSTNAME, mappings.getFirstname(), user.map(GeorchestraUser::getFirstName));
+                        add(headers, SEC_LASTNAME, mappings.getLastname(), user.map(GeorchestraUser::getLastName));
+                        add(headers, SEC_TEL, mappings.getTel(), user.map(GeorchestraUser::getTelephoneNumber));
 
                         List<String> roles = user.map(GeorchestraUser::getRoles).orElse(List.of());
 
-                        add(headers, "sec-roles", mappings.getRoles(), roles);
+                        add(headers, SEC_ROLES, mappings.getRoles(), roles);
 
-                        add(headers, "sec-lastupdated", mappings.getLastUpdated(),
+                        add(headers, SEC_LASTUPDATED, mappings.getLastUpdated(),
                                 user.map(GeorchestraUser::getLastUpdated));
-                        add(headers, "sec-address", mappings.getAddress(), user.map(GeorchestraUser::getPostalAddress));
-                        add(headers, "sec-title", mappings.getTitle(), user.map(GeorchestraUser::getTitle));
-                        add(headers, "sec-notes", mappings.getNotes(), user.map(GeorchestraUser::getNotes));
-                        add(headers, "sec-ldap-remaining-days", Optional
+                        add(headers, SEC_ADDRESS, mappings.getAddress(), user.map(GeorchestraUser::getPostalAddress));
+                        add(headers, SEC_TITLE, mappings.getTitle(), user.map(GeorchestraUser::getTitle));
+                        add(headers, SEC_NOTES, mappings.getNotes(), user.map(GeorchestraUser::getNotes));
+                        add(headers, SEC_LDAP_REMAINING_DAYS, Optional
                                 .of(user.isPresent() && user.get().getLdapWarn() != null && user.get().getLdapWarn()),
                                 user.map(GeorchestraUser::getLdapRemainingDays));
+                        add(headers, SEC_EXTERNAL_AUTHENTICATION,
+                                Optional.of(user.isPresent() && user.get().getIsExternalAuth()), Optional.of("true"));
                     });
         };
     }