aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/main/java/org/traccar/config/Keys.java6
-rw-r--r--src/main/java/org/traccar/database/OpenIdProvider.java14
2 files changed, 13 insertions, 7 deletions
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 707e9e815..3ff423ad1 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -665,12 +665,12 @@ public final class Keys {
/**
* OpenID Connect group to grant admin access.
- * Defaults to admins.
+ * If this is not provided, no groups will be granted admin access.
+ * This option will only work if your OpenID provider supports the groups scope.
*/
public static final ConfigKey<String> OPENID_ADMINGROUP = new StringConfigKey(
"openid.adminGroup",
- List.of(KeyType.CONFIG),
- "admins");
+ List.of(KeyType.CONFIG));
/**
* If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index f5c7eef15..537319b31 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -94,9 +94,15 @@ public class OpenIdProvider {
}
public URI createAuthUri() {
+ Scope scope = new Scope("openid", "profile", "email");
+
+ if (adminGroup != null) {
+ scope.add("groups");
+ }
+
AuthenticationRequest.Builder request = new AuthenticationRequest.Builder(
new ResponseType("code"),
- new Scope("openid", "profile", "email", "groups"),
+ scope,
clientId,
callbackUrl);
@@ -156,9 +162,9 @@ public class OpenIdProvider {
UserInfo userInfo = getUserInfo(bearerToken);
- User user = loginService.login(
- userInfo.getEmailAddress(), userInfo.getName(),
- userInfo.getStringListClaim("groups").contains(adminGroup));
+ Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+
+ User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);
request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId());
LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request));