nikdoof/pocket-id
1
0
Fork 0
mirror of https://github.com/nikdoof/pocket-id.git synced 2025-12-13 23:02:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: only return user groups if it is explicitly requested

Browse Source
This commit is contained in:
Elias Schneider
2024-10-02 10:41:10 +02:00
parent 365734ec5d
commit a4a90a16a9
4 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -95,6 +95,7 @@ You may need the following information:
- **Certificate URL**: `https://<your-domain>/.well-known/jwks.json` - **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
- **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration` - **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
- **PKCE**: `false` as this is not supported yet. - **PKCE**: `false` as this is not supported yet.
- **Scopes**: At least `openid email`. Optionally you can add `profile` and `groups`.
### Proxy Services with Pocket ID ### Proxy Services with Pocket ID

14
backend/internal/service/oidc_service.go
View File

@@ -308,20 +308,22 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
user := authorizedOidcClient.User user := authorizedOidcClient.User
scope := authorizedOidcClient.Scope scope := authorizedOidcClient.Scope
userGroups := make([]string, len(user.UserGroups))
for i, group := range user.UserGroups {
userGroups[i] = group.Name
}
claims := map[string]interface{}{ claims := map[string]interface{}{
"sub": user.ID, "sub": user.ID,
"groups": userGroups,
} }
if strings.Contains(scope, "email") { if strings.Contains(scope, "email") {
claims["email"] = user.Email claims["email"] = user.Email
} }
if strings.Contains(scope, "groups") {
userGroups := make([]string, len(user.UserGroups))
for i, group := range user.UserGroups {
userGroups[i] = group.Name
}
claims["groups"] = userGroups
}
profileClaims := map[string]interface{}{ profileClaims := map[string]interface{}{
"given_name": user.FirstName, "given_name": user.FirstName,
"family_name": user.LastName, "family_name": user.LastName,

9
frontend/src/routes/authorize/+page.svelte
View File

@@ -9,7 +9,7 @@
import { getWebauthnErrorMessage } from '$lib/utils/error-util'; import { getWebauthnErrorMessage } from '$lib/utils/error-util';
import { startAuthentication } from '@simplewebauthn/browser'; import { startAuthentication } from '@simplewebauthn/browser';
import { AxiosError } from 'axios'; import { AxiosError } from 'axios';
import { LucideMail, LucideUser } from 'lucide-svelte'; import { LucideMail, LucideUser, LucideUsers } from 'lucide-svelte';
import { slide } from 'svelte/transition'; import { slide } from 'svelte/transition';
import type { PageData } from './$types'; import type { PageData } from './$types';
import ClientProviderImages from './components/client-provider-images.svelte'; import ClientProviderImages from './components/client-provider-images.svelte';
@@ -113,6 +113,13 @@
description="View your profile information" description="View your profile information"
/> />
{/if} {/if}
{#if scope!.includes('groups')}
<ScopeItem
icon={LucideUsers}
name="Groups"
description="View the groups you are a member of"
/>
{/if}
</div> </div>
</Card.Content> </Card.Content>
</Card.Root> </Card.Root>

2
frontend/src/routes/settings/admin/user-groups/user-group-form.svelte
View File

@@ -70,7 +70,7 @@
<div class="w-full"> <div class="w-full">
<FormInput <FormInput
label="Name" label="Name"
description={`Name that will be in the "userGroup" claim`} description={`Name that will be in the "groups" claim`}
bind:input={$inputs.name} bind:input={$inputs.name}
onInput={onNameInput} onInput={onNameInput}
/> />