Allow user to pass in the scope he wants returned

[xkjyeah]

Here's a sample of the fields available:

('CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
  {'accountExpires': ['9223372036854775807'],
   'badPasswordTime': ['131408687478170480'],
   'badPwdCount': ['0'],
   'cn': ['Daniel Sim'],
   'codePage': ['0'],
   'company': ['GovTech'],
   'countryCode': ['0'],
   'dSCorePropagationData': ['20160928023533.0Z',
    '20160928020831.0Z',
    '16010101000001.0Z'],
   'department': ['DSD'],
   'displayName': ['Daniel Sim'],
   'distinguishedName': ['CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'givenName': ['Daniel Sim'],
   'instanceType': ['4'],
   'lastLogoff': ['0'],
   'lastLogon': ['131408688359644108'],
   'lastLogonTimestamp': ['131408636685082554'],
   'lockoutTime': ['0'],
   'logonCount': ['0'],
   'mail': ['[email protected]'],
   'memberOf': ['CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
    'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'name': ['Daniel Sim'],
   'objectCategory': ['CN=Person,CN=Schema,CN=Configuration,DC=dsd,DC=example,DC=gov,DC=sg'],
   'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
   'objectGUID': ['P\xebV\xe5\xaebYB\xa5)\xf6\x93[ \x12^'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\xcf\x13\x90\n\xfe,\xe0\xb7y\x98\xa5\\\x04\x00\x00'],
   'physicalDeliveryOfficeName': ['X'],
   'primaryGroupID': ['513'],
   'pwdLastSet': ['131408636244939448'],
   'sAMAccountName': ['daniel_sim'],
   'sAMAccountType': ['805306368'],
   'uSNChanged': ['55404'],
   'uSNCreated': ['12915'],
   'userAccountControl': ['512'],
   'userPrincipalName': ['[email protected]'],
   'whenChanged': ['20170602075428.0Z'],
   'whenCreated': ['20160928020831.0Z']}),

If the user specifies scope=userPrincipalName,memberOf,mail, the JSON web token should also include the following fields:

{
    userPrincipalName: ['[email protected]'],
    memberOf: [
        'CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
        'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'
    ],
    mail: ['[email protected]']
}

This way, we can perform group checks without hitting the LDAP server

Relevant line of code: https://github.com/lawliet89/rowdy/blob/master/src/auth/ldap.rs#L101

[lawliet89]

The scope parameter is not meant for specific use with LDAP. It was meant for specifying the resources that the user intends to access with the token. I'll see how I can do this in another manner.

[xkjyeah]

True... that's hacking around the scope. However it's similar to how Auth0 does it: https://auth0.com/docs/scopes/current

…

On Mon, Jun 5, 2017 at 9:23 AM, Yong Wen Chua ***@***.***> wrote: The scope parameter is not meant for specific use with LDAP. It was meant for specifying the resources that the user intends to access with the token. I'll see how I can do this in another manner. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#38 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACiTR5z3aK2zkJ97d1LRPkx6wQVQAYuSks5sA1h0gaJpZM4NuDcD> .