Skip to content

Commit a226995

Browse files
Fix: OAuth User to Role Mapping Fix (#742)
This PR adds fixes for 1. Default role not assigned to the OAuth user if group does not exist 2. Use user name used instead of id fixes #638 fixes #868
1 parent 16c97a4 commit a226995

File tree

2 files changed

+23
-12
lines changed

2 files changed

+23
-12
lines changed

server/src/handlers/http/oidc.rs

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -139,24 +139,35 @@ pub async fn reply_login(
139139
return Ok(HttpResponse::Unauthorized().finish());
140140
};
141141
let username = user_info
142-
.sub
142+
.name
143143
.clone()
144144
.expect("OIDC provider did not return a sub which is currently required.");
145145
let user_info: user::UserInfo = user_info.into();
146-
147-
let group: HashSet<String> = claims
146+
let mut group: HashSet<String> = claims
148147
.other
149148
.remove("groups")
150149
.map(serde_json::from_value)
151150
.transpose()?
152-
.unwrap_or_else(|| {
153-
DEFAULT_ROLE
154-
.lock()
155-
.unwrap()
156-
.clone()
157-
.map(|role| HashSet::from([role]))
158-
.unwrap_or_default()
159-
});
151+
.unwrap_or_default();
152+
let metadata = get_metadata().await?;
153+
let mut role_exists = false;
154+
for role in metadata.roles.iter() {
155+
let role_name = role.0;
156+
for group_name in group.iter() {
157+
if group_name.eq(role_name) {
158+
role_exists = true;
159+
break;
160+
}
161+
}
162+
}
163+
if !role_exists || group.is_empty() {
164+
group = DEFAULT_ROLE
165+
.lock()
166+
.unwrap()
167+
.clone()
168+
.map(|role| HashSet::from([role]))
169+
.unwrap_or_default();
170+
}
160171

161172
// User may not exist
162173
// create a new one depending on state of metadata

server/src/rbac/user.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ impl User {
6060
pub fn new_oauth(username: String, roles: HashSet<String>, user_info: UserInfo) -> Self {
6161
Self {
6262
ty: UserType::OAuth(OAuth {
63-
userid: username,
63+
userid: user_info.name.clone().unwrap_or(username),
6464
user_info,
6565
}),
6666
roles,

0 commit comments

Comments
 (0)