Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimalistic support for group filtering in oidc connector #3074

Merged
merged 3 commits into from
Oct 21, 2023
Merged

Minimalistic support for group filtering in oidc connector #3074

merged 3 commits into from
Oct 21, 2023

Conversation

mdpradeep
Copy link
Contributor

Overview

Filter users based on groups in OIDC connector.

What this PR does / why we need it

Currently it is not possible to filter users based on groups like it is done with the google connector. This PR is an attempt to support group filtering in the oidc connector. The connector configuration takes an additional configuration as below to specify what the allowed groups are. If the user's groups belong to at least one of the allowedGroups, then authentication will be successful. The other change is to indicate that the user does not belong to allowed groups if authentication fails because the user does not belong to any of the allowed groups.

{
            "name": "My-oidc",
            "config": {
                "issuer": "<ISSUER>",
                "clientID": "12345678",
                "redirectURI": "<Dex Callback>",
                "clientSecret": "12345678",
                "insecureSkipEmailVerified": true,
                "insecureEnableGroups": true,
                "getUserInfo": true,
                "allowedGroups": ["XYZ", "ABC"],
                "scopes": ....
            },
            "id": "myoidc",
            "type": "oidc"
        }

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE

sagikazarmark
sagikazarmark requested changes Aug 24, 2023
View reviewed changes
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated Show resolved Hide resolved
server/handlers.go Outdated Show resolved Hide resolved
nabokihms
nabokihms requested changes Oct 20, 2023
View reviewed changes
Copy link
Member

@nabokihms nabokihms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Debug messages don't seem like a necessary addition. The better approach is, for example, to trace HTTP requests to providers and check returned bodies. Custom debug messages are blocking this PR.

connector/oidc/oidc.go Outdated Show resolved Hide resolved
@nabokihms
Copy link
Member

@mdpradeep, everything seems fine now according to the code and ready to be merged (when tests are successfully passed).

I'd like to take this feature to the upcoming v2.38.0 release, so waiting 🙂

@nabokihms nabokihms added release-note/new-feature Release note: Exciting New Features release-note/enhancement Release note: Enhancements and removed release-note/new-feature Release note: Exciting New Features labels Oct 20, 2023
@mdpradeep @nabokihms @sagikazarmark
Minimalistic support for group filtering in oidc connector
3f756e9 
Minimalistic support for group filtering in oidc connector

Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
Co-Authored-By: Maksim Nabokikh <max.nabokih@gmail.com>
Co-Authored-By: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
@mdpradeep
Fix rebase issue
b3e5bf5 
Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
@mdpradeep
Fix linter issue
522e0c9 
Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
nabokihms
nabokihms approved these changes Oct 21, 2023
View reviewed changes
Copy link
Member

@nabokihms nabokihms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really nice. Thank you, @mdpradeep, for your contribution!

@nabokihms nabokihms merged commit 415ddaa into dexidp:master Oct 21, 2023
9 checks passed
orange-hbenmabrouk pushed a commit to orange-hbenmabrouk/dex that referenced this pull request Oct 23, 2023
@mdpradeep @nabokihms
@sagikazarmark @orange-hbenmabrouk
Minimalistic support for group filtering in oidc connector (dexidp#3074)
302637e 
Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
orange-hbenmabrouk pushed a commit to orange-hbenmabrouk/dex that referenced this pull request Oct 23, 2023
@mdpradeep @nabokihms
@sagikazarmark @orange-hbenmabrouk
Minimalistic support for group filtering in oidc connector (dexidp#3074)
2d862e8 
Signed-off-by: Pradeep Mudlapur <pradeep@juliacomputing.com>
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com>
Signed-off-by: Houssem Ben Mabrouk <houssem.benmabrouk.ext@orange.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nabokihms nabokihms nabokihms approved these changes

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

Assignees
No one assigned
Labels
release-note/enhancement Release note: Enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mdpradeep @nabokihms @sagikazarmark