Pass OIDC bearer token to prelogin hook

[marcelvanwaaijen]

Hi,

I want to use sftpgo as an sftp solution for users to upload files to specific project folders. To make sure the users can only access the project folders they have access to, I need to use the authentication token returned from the OIDC authentication in the prelogin hook.

The prelogin hook will then connect to a web api with the authentication token and retrieve the list of project folders that are available to the user, which I then can use in the permission settings for the SFTPGo user permissions.

I was hoping that the token would be copied to the 'password' field of the json-serialized user that is passed in the SFTPGO_LOGIND_USER environment variable, but that is not the case...

Is there any other way to get the token in my prelogin hook?

Thanks,

[fostermi]

If you use groups mapped to virtual folders, you can add an OIDC claim of "groups" and add "groups" to the list of scopes in your http binding, then those will be passed by the SFTPGO_LOGIND_USER json. Then you can parse that to update your user-to-group mappings.

[marcelvanwaaijen]

I thought about that, but the OIDC provider already has a concept of groups which cannot be mapped to the folders and I can't control the OIDC provider's claims further.

For Prometheus we are using the same OIDC system and there the token is passed to the plugin system, so we can utilize the system's api in Prometheus. It would be nice if SFTPGo would be able to also pass the token to the hooks (maybe through the password field of the SFTPGO_LOGIND_USER json object), so the sftpgo system can be integrated...