From a16da3bef30b26cbf813526dee817538b99d9d6e Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 3 Apr 2023 21:30:28 +0100 Subject: Support providers who do not provide the groups scope --- src/main/java/org/traccar/config/Keys.java | 6 +++--- src/main/java/org/traccar/database/OpenIdProvider.java | 14 ++++++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 707e9e815..3ff423ad1 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -665,12 +665,12 @@ public final class Keys { /** * OpenID Connect group to grant admin access. - * Defaults to admins. + * If this is not provided, no groups will be granted admin access. + * This option will only work if your OpenID provider supports the groups scope. */ public static final ConfigKey OPENID_ADMINGROUP = new StringConfigKey( "openid.adminGroup", - List.of(KeyType.CONFIG), - "admins"); + List.of(KeyType.CONFIG)); /** * If no data is reported by a device for the given amount of time, status changes from online to unknown. Value is diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java index f5c7eef15..537319b31 100644 --- a/src/main/java/org/traccar/database/OpenIdProvider.java +++ b/src/main/java/org/traccar/database/OpenIdProvider.java @@ -94,9 +94,15 @@ public class OpenIdProvider { } public URI createAuthUri() { + Scope scope = new Scope("openid", "profile", "email"); + + if (adminGroup != null) { + scope.add("groups"); + } + AuthenticationRequest.Builder request = new AuthenticationRequest.Builder( new ResponseType("code"), - new Scope("openid", "profile", "email", "groups"), + scope, clientId, callbackUrl); @@ -156,9 +162,9 @@ public class OpenIdProvider { UserInfo userInfo = getUserInfo(bearerToken); - User user = loginService.login( - userInfo.getEmailAddress(), userInfo.getName(), - userInfo.getStringListClaim("groups").contains(adminGroup)); + Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup); + + User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator); request.getSession().setAttribute(SessionResource.USER_ID_KEY, user.getId()); LogAction.login(user.getId(), ServletHelper.retrieveRemoteAddress(request)); -- cgit v1.2.3 From cf992ec194ef8fbcd86ad170bdc68c6075712591 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 3 Apr 2023 22:22:20 +0100 Subject: Block login when openid is forced --- src/main/java/org/traccar/api/security/LoginService.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/main/java/org/traccar/api/security/LoginService.java b/src/main/java/org/traccar/api/security/LoginService.java index c7482a2e3..db9ed6cff 100644 --- a/src/main/java/org/traccar/api/security/LoginService.java +++ b/src/main/java/org/traccar/api/security/LoginService.java @@ -43,6 +43,7 @@ public class LoginService { private final String serviceAccountToken; private final boolean forceLdap; + private final boolean forceOpenId; @Inject public LoginService( @@ -53,6 +54,7 @@ public class LoginService { this.ldapProvider = ldapProvider; serviceAccountToken = config.getString(Keys.WEB_SERVICE_ACCOUNT_TOKEN); forceLdap = config.getBoolean(Keys.LDAP_FORCE); + forceOpenId = config.getBoolean(Keys.OPENID_FORCE); } public User login(String token) throws StorageException, GeneralSecurityException, IOException { @@ -69,6 +71,10 @@ public class LoginService { } public User login(String email, String password) throws StorageException { + if (forceOpenId) { + return null; + } + email = email.trim(); User user = storage.getObject(User.class, new Request( new Columns.All(), -- cgit v1.2.3