aboutsummaryrefslogtreecommitdiff
path: root/src/main/java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java')
-rw-r--r--src/main/java/org/traccar/config/Keys.java9
-rw-r--r--src/main/java/org/traccar/database/OpenIdProvider.java10
2 files changed, 18 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 3ed6c6026..363d4a472 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -673,6 +673,15 @@ public final class Keys {
List.of(KeyType.CONFIG));
/**
+ * OpenID Connect group to restrict access to.
+ * If this is not provided, all OpenID users will have access to Traccar.
+ * This option will only work if your OpenID provider supports the groups scope.
+ */
+ public static final ConfigKey<String> OPENID_ALLOWGROUP = new StringConfigKey(
+ "openid.allowGroup",
+ List.of(KeyType.CONFIG));
+
+ /**
* OpenID Connect group to grant admin access.
* If this is not provided, no groups will be granted admin access.
* This option will only work if your OpenID provider supports the groups scope.
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index 2b0f9d290..370876ed9 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -30,6 +30,7 @@ import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse.BodyHandlers;
import java.security.GeneralSecurityException;
+import java.util.List;
import java.util.Map;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
@@ -76,6 +77,7 @@ public class OpenIdProvider {
private URI userInfoUrl;
private URI baseUrl;
private final String adminGroup;
+ private final String allowGroup;
private LoginService loginService;
@@ -129,6 +131,7 @@ public class OpenIdProvider {
}
adminGroup = config.getString(Keys.OPENID_ADMINGROUP);
+ allowGroup = config.getString(Keys.OPENID_ALLOWGROUP);
}
public URI createAuthUri() {
@@ -200,7 +203,12 @@ public class OpenIdProvider {
UserInfo userInfo = getUserInfo(bearerToken);
- Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+ List<String> userGroups = userInfo.getStringListClaim("groups");
+ Boolean administrator = adminGroup != null && userGroups.contains(adminGroup);
+
+ if (!(administrator || allowGroup == null || userGroups.contains(allowGroup))) {
+ throw new GeneralSecurityException("Your OpenID Groups do not permit access to Traccar.");
+ }
User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);