Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: customize usernameProperty, add default role, use default_org, #9664

Open
wants to merge 3 commits into
base: 2.4
Choose a base branch
from
Open

OIDC: customize usernameProperty, add default role, use default_org, #9664

wants to merge 3 commits into from
+9 −3

Conversation

ftoppi
Copy link

@ftoppi ftoppi commented Apr 5, 2024

What does it do?

Add OIDC config setting username_property to define which claim to use. Defaults to email to keep the same behavior.
Add OIDC config setting default_role in case IdP does not send the claim roles_property AND IdP userInfo cannot be queried. Defaults to null to keep the same behavior.
Use OIDC config setting default_org in case IdP does not send the claim organization_property.
Does not fail if IdP userInfo cannot be queried.

Questions

  • Does it require a DB change? NO.
  • Are you using it in production? YES.
  • Does it require a change in the API (PyMISP for example)? NO.

@ftoppi
Oidc: allow custom username property
4defa60 
Allow a custom field `username_property` in Config to not force `email`. The default stays `email`.
@ftoppi
Oidc.php: use default_org if IdP does not send it
b1fcdd7 
If `organisation_property` is not sent by the IdP, authentication fails even if `default_org` is set in Config.
@ftoppi
Oidc.php: allow setting a default role when IdP does not send the rig…
c5a0cd2 
…ht claim

Add `default_role` in Config to set a default role in case the IdP does not send the right claim.
@ftoppi ftoppi changed the title OIDC: add OIDC: customize usernameProperty, add default role, use default_org, Apr 5, 2024
@JakubOnderka JakubOnderka self-requested a review April 15, 2024 14:01
@JakubOnderka
Copy link
Contributor

Can you please elaborate why b1fcdd7 is needed?

@ftoppi
Copy link
Author

ftoppi commented Apr 15, 2024

Can you please elaborate why b1fcdd7 is needed?

If IdP doesn't send the org property, the connection is immediately rejected even if a default org is configured. IMHO, "default org" should be used if none is sent by IdP.

@JakubOnderka
Copy link
Contributor

Default organisation is set in

MISP/app/Plugin/OidcAuth/Lib/Oidc.php

Line 59 in 8934982

$defaultOrganisationId = $this->defaultOrganisationId();

So can you test it again?

@ftoppi
Copy link
Author

ftoppi commented Apr 15, 2024

Default organisation is set in

MISP/app/Plugin/OidcAuth/Lib/Oidc.php

Line 59 in 8934982

$defaultOrganisationId = $this->defaultOrganisationId();

So can you test it again?

MISP rejects the connection if IdP does not send org name:

MISP/app/Plugin/OidcAuth/Lib/Oidc.php

Line 57 in 8934982

$organisationId = $this->checkOrganization($organisationName, $organisationUuid, $mispUsername);

MISP/app/Plugin/OidcAuth/Lib/Oidc.php

Line 346 in 8934982

return false;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JakubOnderka JakubOnderka Awaiting requested review from JakubOnderka

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ftoppi @JakubOnderka