dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Allow custom claim parser during OIDC login procedure for teams resolution

Open otbe opened this issue 1 year ago • 2 comments

Current Behavior

Right now we can configure ALPINE_OIDC_TEAMS_CLAIM and specify the claim that carries the group/team association of a person that logs in. This currently only works if this claim is a list of strings. Certain environments do not support this properly, for example if you connect an Azure AD to AWS Cognito and then sign in via OIDC into Dependency Track the original AD groups are mapped to a claim like "custom:groups", however Cognito only supports strings there. That means we end up with ID token claims like this

{
  "cognito:groups":["cognitoCreatedGroupForAllUsers"],
  "custom:groups: "[uuid1, uuid2, uuid3]"
}

I would like to be able to make use of our "custom:groups" claim to map it to DT teams at the end.

Proposed Behavior

I can imagine two ways of solving this.

  1. Create a way to allow users to inject custom claim parsers. If this would be a regular java library one could create an interface and let people register custom parsers for arbitrary fields. I have a hard time imagining how this could be achieved in the current docker based distribution.

  2. Create a special "relaxedGroupClaimParser" flag. This could be implemented in a way that

  • if its a list of strings then continue as before
  • if its a string then trim it, remove [], split it by ",", trim the result list (stuff like this)

Checklist

otbe avatar Jul 01 '24 18:07 otbe

Create a special "relaxedGroupClaimParser" flag.

We could introduce a strategy flag for this. Such that users can switch between different strategies, and we can add more over time if required, without having to add new boolean flags for all of them.

I do agree that custom parsers that are to be provided via custom JARs are unnecessary and too unwieldy here.

nscuro avatar Jul 02 '24 08:07 nscuro

Note, the code that maps claims lives here in Alpine: https://github.com/stevespringett/Alpine/blob/05660dc52bbbd926133b84fac8295d386013c551/alpine-server/src/main/java/alpine/server/auth/OidcAuthenticationService.java#L128-L135

nscuro avatar Jul 02 '24 08:07 nscuro