greenlight icon indicating copy to clipboard operation
greenlight copied to clipboard

Published 20 hours ago verified publisher icon bigbluebutton

Added OPENID_CONNECT_ROLE_FIELD

Open beckerr-rzht opened this issue 3 years ago • 3 comments

Authentication via OpenID Connect is extended to allow user roles to be specified.

Description

An environment variable OPENID_CONNECT_ROLE_FIELD can be used to define which claim is used to set the user's role. The handling is similar to the LDAP authentication, where the environment variable LDAP_ROLE_FIELD is used.

Testing Steps

First the OpenID server must be extended by a claim roles. This is then added to the scope public so that it is transmitted during authentication.

beckerr-rzht avatar Oct 13 '21 17:10 beckerr-rzht

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

sonarqubecloud[bot] avatar Oct 13 '21 19:10 sonarqubecloud[bot]

As mentioned in #2946 we need to validate this also solves some other large deployments we know are already in production, and perhaps cover the case of mapping roles and other arguments.

jfederico avatar Oct 14 '21 14:10 jfederico

would be good if this feature will be merged into master. however, it will overwrite the pre-existing roles. An example: an admin-user logged in via openid_connect which also has the roles in bbb and openid_connect: "rule-denied-room-creation" will then gets this role assigned and will loose admin rights. to prevent this it is neccessary that at least admin-roles are excluded from that:

#app/models/concerns/auth_values.rb
unless auth['info']['roles'].nil?
      roles = auth['info']['roles'].split(' ')

      role_provider = auth['provider'] == "bn_launcher" ? auth['info']['customer'] : "greenlight"
      roles.each do |role_name|
        logger.info("[DEBUG] user has role: #{role_name}")
        role = Role.find_by(provider: role_provider, name: role_name)
        user.set_role(role_name) if !role.nil? && !user.has_role?(role_name) && !user.has_role?("admin") && !user.has_role?("super_admin")
      end
    end

see && !user.has_role?("admin") && !user.has_role?("super_admin")

also, the default roles.split(',') is maybe not for every provider useful. This could also be achieved via an ENV value which can be set in .env Settings File.

flyinghuman avatar Feb 03 '22 15:02 flyinghuman