Every time the OIDC middleware sees a new access token (i.e when it needs
to update the userinfo cache) we consider that as a new login. In this case
the middleware add a new flag to the context, which is then used by the
accountresolver middleware to publish a UserSignedIn event.
The event needs to be sent by the accountresolver middleware, because only
at that point we know the user id of the user that just logged in.
(It would probably makes sense to merge the auth and account middleware into a
single component to avoid passing flags around via context)
Add support for autoprovisioning group memberships from OIDC claims.
Users are added to and removed from groups based on the value of an OIDC
claim. If a group does not exist, it is created.
Closes: #5538
* extract and test role claim parsing
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add failing test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* read segmented roles claim as array and string
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* reuse more code by extracting WalkSegments
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add TestSplitWithEscaping
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* docs and error for unhandled case
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add claims test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add missing ReadStringClaim docs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
This moves the lookup and the creation of the users' role assignemt out
of the user backend into its own interface. This makes the user backend
a bit simpler and allows to provide different implemenation for the user
role assignment more easily.
This removes the "withRoles" flag from the GetUserByClaims lookup and move the
functionality into a separate method. This should make the code a bit more readable
in preparation for maintaining the RoleAssignments from OIDC claims.
