diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2023-04-03 14:39:55 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-03 14:39:55 -0700 |
commit | 61ea657e806c8412f23376ecc4f1e31025fc9bfc (patch) | |
tree | 1a0626c1db0cf02389f6b55bcd9767f232504130 /src | |
parent | 2d92fa2473b2317f01b904a8f1afd83e7884d7c8 (diff) | |
parent | cf992ec194ef8fbcd86ad170bdc68c6075712591 (diff) | |
download | trackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.tar.gz trackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.tar.bz2 trackermap-server-61ea657e806c8412f23376ecc4f1e31025fc9bfc.zip |
Merge pull request #5060 from dan-r/oidc-tweaks
Minor tweaks to OpenID Connect integration
Diffstat (limited to 'src')
-rw-r--r-- | src/main/java/org/traccar/api/security/LoginService.java | 6 | ||||
-rw-r--r-- | src/main/java/org/traccar/config/Keys.java | 6 | ||||
-rw-r--r-- | src/main/java/org/traccar/database/OpenIdProvider.java | 14 |
3 files changed, 19 insertions, 7 deletions
diff --git a/src/main/java/org/traccar/api/security/LoginService.java b/src/main/java/org/traccar/api/security/LoginService.java index c7482a2e3..db9ed6cff 100644 --- a/src/main/java/org/traccar/api/security/LoginService.java +++ b/src/main/java/org/traccar/api/security/LoginService.java @@ -43,6 +43,7 @@ public class LoginService { private final String serviceAccountToken; private final boolean forceLdap; + private final boolean forceOpenId; @Inject public LoginService( @@ -53,6 +54,7 @@ public class LoginService { this.ldapProvider = ldapProvider; serviceAccountToken = config.getString(Keys.WEB_SERVICE_ACCOUNT_TOKEN); forceLdap = config.getBoolean(Keys.LDAP_FORCE); + forceOpenId = config.getBoolean(Keys.OPENID_FORCE); } public User login(String token) throws StorageException, GeneralSecurityException, IOException { @@ -69,6 +71,10 @@ public class LoginService { } public User login(String email, String password) throws StorageException { + if (forceOpenId) { + return null; + } + email = email.trim(); User user = storage.getObject(User.class, new Request( new Columns.All(), diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 707e9e815..3ff423ad1 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -665,12 +665,12 @@ public final class Keys { /** * OpenID Connect group to grant admin access. - * Defaults to admins. + * If this is not provided, no groups will be granted admin access. + * This option will only work if your OpenID provider supports the groups scope. */ public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey( "openid.adminGroup", - List.of(KeyType.CONFIG), - "admins"); + List.of(KeyType.CONFIG)); /** * If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java index f5c7eef15..537319b31 100644 --- a/src/main/java/org/traccar/database/OpenIdProvider.java +++ b/src/main/java/org/traccar/database/OpenIdProvider.java @@ -94,9 +94,15 @@ public class OpenIdProvider { } public URI createAuthUri() { + Scope scope = new Scope("openid", "profile", "email"); + + if (adminGroup != null) { + scope.add("groups"); + } + AuthenticationRequest.Builder request = new AuthenticationRequest.Builder( new ResponseType("code"), - new Scope("openid", "profile", "email", "groups"), + scope, clientId, callbackUrl); @@ -156,9 +162,9 @@ public class OpenIdProvider { UserInfo userInfo = getUserInfo(bearerToken); - User user = loginService.login( - userInfo.getEmailAddress(), userInfo.getName(), - userInfo.getStringListClaim("groups").contains(adminGroup)); + Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup); + + User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator); request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId()); LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request)); |