Merge pull request #5060 from dan-r/oidc-tweaks

Minor tweaks to OpenID Connect integration

3 files changed, 19 insertions, 7 deletions

diff --git a/src/main/java/org/traccar/api/security/LoginService.java b/src/main/java/org/traccar/api/security/LoginService.java
index c7482a2e3..db9ed6cff 100644
--- a/src/main/java/org/traccar/api/security/LoginService.java
+++ b/src/main/java/org/traccar/api/security/LoginService.java
@@ -43,6 +43,7 @@ public class LoginService {
 
     private final String serviceAccountToken;
     private final boolean forceLdap;
+    private final boolean forceOpenId;
 
     @Inject
     public LoginService(
@@ -53,6 +54,7 @@ public class LoginService {
         this.ldapProvider = ldapProvider;
         serviceAccountToken = config.getString(Keys.WEB_SERVICE_ACCOUNT_TOKEN);
         forceLdap = config.getBoolean(Keys.LDAP_FORCE);
+        forceOpenId = config.getBoolean(Keys.OPENID_FORCE);
     }
 
     public User login(String token) throws StorageException, GeneralSecurityException, IOException {
@@ -69,6 +71,10 @@ public class LoginService {
     }
 
     public User login(String email, String password) throws StorageException {
+        if (forceOpenId) {
+            return null;
+        }
+
         email = email.trim();
         User user = storage.getObject(User.class, new Request(
                 new Columns.All(),
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 707e9e815..3ff423ad1 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -665,12 +665,12 @@ public final class Keys {
 
     /**
      * OpenID Connect group to grant admin access.
-     * Defaults to admins.
+     * If this is not provided, no groups will be granted admin access.
+     * This option will only work if your OpenID provider supports the groups scope.
      */
     public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey(
             "openid.adminGroup",
-            List.of(KeyType.CONFIG),
-            "admins");
+            List.of(KeyType.CONFIG));
 
     /**
      * If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index f5c7eef15..537319b31 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -94,9 +94,15 @@ public class OpenIdProvider {
     }
 
     public URI createAuthUri() {
+        Scope scope = new Scope("openid", "profile", "email");
+
+        if (adminGroup != null) {
+            scope.add("groups");
+        }
+
         AuthenticationRequest.Builder request = new AuthenticationRequest.Builder(
                 new ResponseType("code"),
-                new Scope("openid", "profile", "email", "groups"),
+                scope,
                 clientId,
                 callbackUrl);
 
@@ -156,9 +162,9 @@ public class OpenIdProvider {
 
             UserInfo userInfo = getUserInfo(bearerToken);
 
-            User user = loginService.login(
-                userInfo.getEmailAddress(), userInfo.getName(),
-                userInfo.getStringListClaim("groups").contains(adminGroup));
+            Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+
+            User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);
 
             request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId());
             LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));