#4941 - Mapping OIDC groups to INCEpTION's internal roles

[kzgrzendek]

What's in the PR This PR contains the feature allowing to map OAuth2 groups with INCEpTION roles, as described in the corresopnding feaure request

How to test manually

1. Run a local Keycloak, with a dedicated user and 4 groups associated to that user :

• INCEPTION_ADMIN
• INCEPTION_USER
• INCEPTION_PROJECT_CREATOR
• INCEPTION_REMOTE

2. Add the following lines to your settings.properties file, inside your INCEpTION home directory :

   # OAuth2 groups mapping settings
   oauth2-groups.enabled=true
   oauth2-groups.admin=/INCEPTION_ADMIN
   oauth2-groups.user=/INCEPTION_USER
   oauth2-groups.project-creator=/INCEPTION_PROJECT_CREATOR
   oauth2-groups.remote=/INCEPTION_REMOTE
   

3. Build and run an INCEpTION instance from this branch
4. Try to login via OAuth2, and observe that the newly created user is bind to all the INCEpTION roles, as mapped in the settings.properties file. You can play with the mapping/groups to test the behavior.

Note : :

• The roles are mapped at the user's creation and at every connections
• If the feature is enabled and the user isn't in any group mapped to INCEpTION roles, and AccessDeniedException will be throw.
• The OAuth2AdaptaterImpl class was vefore calling to the PreAuthUtil class, whereas it's specified in the documentation that the External PreAuth feature isn't compatible with OAuth2 authentication. I made a dedicated OAuth2Utils class that contains a method that maps the OAuth2 groups if the mapping feature is enabled, or just adds the USER INCEpTION role to the user if the mapping feature is disabled.
• Corresponding properties have been added with a native SpringBoot @Configuration annotation.

Automatic testing

• The test class OAuth2UtilsTest contains a set of unit tests

• [x] PR includes unit tests

Documentation

• I can do the documentation as well if the feature is validated.

• [ ] PR updates documentation

I'm of course open to feedback and willing to modify the implementation if needed ;)