diff options
-rw-r--r-- | src/main/java/org/traccar/config/Keys.java | 6 | ||||
-rw-r--r-- | src/main/java/org/traccar/database/OpenIdProvider.java | 14 |
2 files changed, 13 insertions, 7 deletions
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 707e9e815..3ff423ad1 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -665,12 +665,12 @@ public final class Keys { /** * OpenID Connect group to grant admin access. - * Defaults to admins. + * If this is not provided, no groups will be granted admin access. + * This option will only work if your OpenID provider supports the groups scope. */ public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey( "openid.adminGroup", - List.of(KeyType.CONFIG), - "admins"); + List.of(KeyType.CONFIG)); /** * If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java index f5c7eef15..537319b31 100644 --- a/src/main/java/org/traccar/database/OpenIdProvider.java +++ b/src/main/java/org/traccar/database/OpenIdProvider.java @@ -94,9 +94,15 @@ public class OpenIdProvider { } public URI createAuthUri() { + Scope scope = new Scope("openid", "profile", "email"); + + if (adminGroup != null) { + scope.add("groups"); + } + AuthenticationRequest.Builder request = new AuthenticationRequest.Builder( new ResponseType("code"), - new Scope("openid", "profile", "email", "groups"), + scope, clientId, callbackUrl); @@ -156,9 +162,9 @@ public class OpenIdProvider { UserInfo userInfo = getUserInfo(bearerToken); - User user = loginService.login( - userInfo.getEmailAddress(), userInfo.getName(), - userInfo.getStringListClaim("groups").contains(adminGroup)); + Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup); + + User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator); request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId()); LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request)); |