aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2023-04-03 14:39:55 -0700
committerGitHub <noreply@github.com>2023-04-03 14:39:55 -0700
commit61ea657e806c8412f23376ecc4f1e31025fc9bfc (patch)
tree1a0626c1db0cf02389f6b55bcd9767f232504130
parent2d92fa2473b2317f01b904a8f1afd83e7884d7c8 (diff)
parentcf992ec194ef8fbcd86ad170bdc68c6075712591 (diff)
downloadtrackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.tar.gz
trackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.tar.bz2
trackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.zip
Merge pull request #5060 from dan-r/oidc-tweaks
Minor tweaks to OpenID Connect integration
-rw-r--r--src/main/java/org/traccar/api/security/LoginService.java6
-rw-r--r--src/main/java/org/traccar/config/Keys.java6
-rw-r--r--src/main/java/org/traccar/database/OpenIdProvider.java14
3 files changed, 19 insertions, 7 deletions
diff --git a/src/main/java/org/traccar/api/security/LoginService.java b/src/main/java/org/traccar/api/security/LoginService.java
index c7482a2e3..db9ed6cff 100644
--- a/src/main/java/org/traccar/api/security/LoginService.java
+++ b/src/main/java/org/traccar/api/security/LoginService.java
@@ -43,6 +43,7 @@ public class LoginService {
private final String serviceAccountToken;
private final boolean forceLdap;
+ private final boolean forceOpenId;
@Inject
public LoginService(
@@ -53,6 +54,7 @@ public class LoginService {
this.ldapProvider = ldapProvider;
serviceAccountToken = config.getString(Keys.WEB_SERVICE_ACCOUNT_TOKEN);
forceLdap = config.getBoolean(Keys.LDAP_FORCE);
+ forceOpenId = config.getBoolean(Keys.OPENID_FORCE);
}
public User login(String token) throws StorageException, GeneralSecurityException, IOException {
@@ -69,6 +71,10 @@ public class LoginService {
}
public User login(String email, String password) throws StorageException {
+ if (forceOpenId) {
+ return null;
+ }
+
email = email.trim();
User user = storage.getObject(User.class, new Request(
new Columns.All(),
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 707e9e815..3ff423ad1 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -665,12 +665,12 @@ public final class Keys {
/**
* OpenID Connect group to grant admin access.
- * Defaults to admins.
+ * If this is not provided, no groups will be granted admin access.
+ * This option will only work if your OpenID provider supports the groups scope.
*/
public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey(
"openid.adminGroup",
- List.of(KeyType.CONFIG),
- "admins");
+ List.of(KeyType.CONFIG));
/**
* If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index f5c7eef15..537319b31 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -94,9 +94,15 @@ public class OpenIdProvider {
}
public URI createAuthUri() {
+ Scope scope = new Scope("openid", "profile", "email");
+
+ if (adminGroup != null) {
+ scope.add("groups");
+ }
+
AuthenticationRequest.Builder request = new AuthenticationRequest.Builder(
new ResponseType("code"),
- new Scope("openid", "profile", "email", "groups"),
+ scope,
clientId,
callbackUrl);
@@ -156,9 +162,9 @@ public class OpenIdProvider {
UserInfo userInfo = getUserInfo(bearerToken);
- User user = loginService.login(
- userInfo.getEmailAddress(), userInfo.getName(),
- userInfo.getStringListClaim("groups").contains(adminGroup));
+ Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+
+ User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);
request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId());
LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));