Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Roles loading from LDAP for OAuth2 users #84

Merged
merged 3 commits into from
Dec 21, 2023
Merged

Conversation

emmdurin
Copy link
Contributor

No description provided.

@emmdurin emmdurin marked this pull request as draft November 23, 2023 09:15
@pmauduit
Copy link
Member

pmauduit commented Dec 7, 2023

We actually have the same issue to fix with the PreAuthentication token (e.g. when user is logged in via http headers from another proxy in front of the gateway).

Maybe we could use both GeorchestraUser.getRoles() + authentication.getAuthorities() into the georchestra gateway filters instead (not really fan of doing reflection on the object, but the possibilities are limited here, given the fact that the authorities object is final, and no accessor allows to modify it once the token has been created.

@pmauduit
Copy link
Member

pmauduit commented Dec 8, 2023

Maybe we could use both GeorchestraUser.getRoles() + authentication.getAuthorities() into the georchestra gateway filters instead (not really fan of doing reflection on the object, but the possibilities are limited here, given the fact that the authorities object is final, and no accessor allows to modify it once the token has been created.

This is (merging getRoles + getAuthorities) what is currently done into the following branch:
https://github.com/georchestra/georchestra-gateway/tree/gitlab_merge (named this way because the work was already done into DT's version of the gateway)

emmdurin and others added 2 commits December 12, 2023 20:57
Use a custom `ReactiveAuthorizationManager` to authorize
requests using both the `Authentication` object's granted
authorities and the `GeorchestraUser`'s (possibly) derived
role names.
@emmdurin
Copy link
Contributor Author

emmdurin commented Dec 12, 2023

Thank you Pierre. I cherry-picked one commit from this branch, it is the minimum changes required to solve our problem, as we do not need here to get roles from OAuth2 provider, only roles coming from LDAP. However other changes in PR#89 are interesting, they are just out of scope here.

@emmdurin emmdurin merged commit bce93a4 into main Dec 21, 2023
3 checks passed
@groldan groldan deleted the oauth2_roles_loading branch December 29, 2023 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants