Add groups and roles to OIDC requested scopes#1847
Closed
TerrifiedBug wants to merge 2 commits intoTechnitiumSoftware:masterfrom
Closed
Add groups and roles to OIDC requested scopes#1847TerrifiedBug wants to merge 2 commits intoTechnitiumSoftware:masterfrom
TerrifiedBug wants to merge 2 commits intoTechnitiumSoftware:masterfrom
Conversation
Standards-compliant OIDC providers (e.g. PocketID) gate the groups and roles claims on the corresponding scopes being requested at /authorize. The client currently sends only "openid profile email", so those claims are never returned and SsoGroupMap is dead code on such providers. The claim parser already accepts "groups", "roles" and ClaimTypes.Role in WebServiceAuthApi.cs; this only makes the OIDC client request them.
Accidentally removed openid.
Member
|
Thanks for the PR. Have fixed this issue with v15.0.1 release. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The OIDC client only requests
openid profile email. Standards-compliant OIDC providers (PocketID, and any OP that follows the RFC convention of gating optional claims on scopes) therefore never return agroups(orroles) claim, soSsoLoginFinalizeAsyncsees an empty claim set andSsoGroupMaplookups never match. The result is that the SSO group-mapping feature is effectively dead code on RFC-strict providers.Fix
Add
groupsandrolesto the requested scopes in theAddOpenIdConnectconfiguration inDnsServerCore/DnsWebService.cs. The claim parser atDnsServerCore/WebServiceAuthApi.csalready accepts"groups","roles"andClaimTypes.Role— only the request side needed changing.Standards-compliant OPs silently ignore unknown scopes, so requesting both is safe across providers using either convention (PocketID/Authentik/Keycloak typically use
groups; Azure AD / some Okta deployments useroles).Diff
Two lines in
DnsServerCore/DnsWebService.csonly:options.Scope.Add("openid"); options.Scope.Add("profile"); options.Scope.Add("email"); + options.Scope.Add("groups"); + options.Scope.Add("roles");Fixes #1845