teamcity-oauth icon indicating copy to clipboard operation
teamcity-oauth copied to clipboard

Published 20 hours ago verified publisher icon pwielgolaski

How to use mail, given_name, last_name and role claims

Open michaelschnyder opened this issue 7 years ago • 10 comments

Hi

We would like to use the plugin for our federated login where logged in users have a firstname, lastname email and roles. I did no saw any configuration options to set the mapping from claims to the internally created user on login. Are there any plans to support this? Additionally if users could be restricted to certain projects based on their roles, that would we very beneficial.

Although I'm not familiar with java anymore, i think i could contribute the required bits because I'm pretty experienced with OpenId Connect and OAuth. Would you accept PRs in general?

Michael, @samuelmeierzuehlke

michaelschnyder avatar Jul 27 '17 15:07 michaelschnyder

This plugin solve authentication not authorisation piece, so thanks to it can know who user is, but not what it can do. When user does not exists, it simply creates user account with id from oauth service, nothing more. Teamcity api that we use is quite limited in what we could pass there. https://github.com/pwielgolaski/teamcity-oauth/blob/master/src/main/java/jetbrains/buildServer/auth/oauth/ServerPrincipalFactory.java#L40

You can still control what roles has account in teamcity as well you can use teamcity to define which project and what can do specific user or role. https://confluence.jetbrains.com/display/TCD10/Role+and+Permission

I'm happy to accept PR if it solve it in generic way and other could benefit from it.

pwielgolaski avatar Jul 30 '17 18:07 pwielgolaski

okay. how about creating the user like here: https://github.com/JetBrains/teamcity-github-auth/blob/master/src/main/java/org/jetbrains/teamcity/githubauth/GitHubOAuth.java#L104 based on the received claim values?

configuration for the mapping could be done in the UI, so that a admin is able to define the claim names that shall be considered for

  • principalName, currently based on "login, username, name" as shown in https://github.com/pwielgolaski/teamcity-oauth/blob/master/src/main/java/jetbrains/buildServer/auth/oauth/OAuthAuthenticationScheme.java#L25 which are not well known claim names IMHO
  • firstname
  • lastname
  • mail

regarding roles. I don't want to build and authorization in, but mapping to existing roles would be nice.

michaelschnyder avatar Jul 31 '17 20:07 michaelschnyder

I change a way how user is created, but fetching email and name from oAuth provider. If you want to make some changes to support roles, PR is welcome. At the moment I don't plan to develop this feature.

pwielgolaski avatar Aug 19 '17 18:08 pwielgolaski

wow, cool. I'll test it asap and give you feedback! Thank you!

michaelschnyder avatar Aug 21 '17 15:08 michaelschnyder

I'm also looking at this (by the way thanks for a cracking plugin) and want to add role support. @michaelschnyder when you said "but mapping to existing roles would be nice." how would you do the mapping? oauth doesn't really provide any role based logic (Gitlab has a filter you can use to filter to a single pre-known org/group but that's not quite the same).

I'm happy to look into this, I want to get this working one way or another, but I'm also conscious that, as far as this plugin is concerned, that might not be the most logical way to solve that particular problem.

godspeed20 avatar Jan 30 '18 14:01 godspeed20

I think we could try to follow some ideas from https://github.com/greggigon/TeamCity-Crowd-Plugin/blob/master/src/main/java/teamcity/crowd/plugin/loginmodule/LoggedInUserService.java

pwielgolaski avatar Feb 09 '18 19:02 pwielgolaski

Hi all, we're using now the plugin on our build server in the cloud and it works pretty well! Thank you!

What we're missing is the ability to automatically assign users to roles that we've already configured in TC. So ideally if the Logged In User has roles in his userprofile, we would like to directly assign the roles to the user on ever login.

michaelschnyder avatar Feb 10 '18 06:02 michaelschnyder

Hi, do we have any sample of response with roles?

pwielgolaski avatar Feb 12 '18 18:02 pwielgolaski

And I guess also are the roles you have in your user payload following some standard or is that something you've hand crafted into the payload for your own purposes?

I am currently trialling a version in a fork here: https://github.com/godspeed20/teamcity-oauth/blob/master/src/main/java/jetbrains/buildServer/auth/oauth/OAuthAuthenticationScheme.java which has another endpoint providing roles in this format {id: 'user123', roles: ['Project1', 'Project7']} but we have a hand crafted roles server (hence the fork). if there's some way to do this as a standard that would be preferable

That version will take the list of roles and then create missing ones or assign existing ones if there (and remove ones no longer in the list but not remove the role)

godspeed20 avatar Feb 12 '18 22:02 godspeed20

I'd appreciate to see this feature, too. :)

alwibrm avatar Aug 20 '19 15:08 alwibrm