Conversation
|
Hello! Thanks for contribution, it looks like a very nice improvement to the OpenID-based user management and I'm going to check it out soon. |
psrok1
left a comment
psrok1
left a comment
There was a problem hiding this comment.
Hello,
In addition to the specific comments, I have a few general notes:
- MWDB Core supports multiple OpenID Providers. In the case of our public instance (mwdb.cert.pl), not all providers should be allowed to manage groups. Currently, these settings are global and apply to all providers. Would it be possible to make this configurable per provider?
- It would also be helpful to clearly indicate to the MWDB administrator when a group has been created by an OpenID Provider and is therefore managed under the MIXED setting.
If you’re not comfortable working on the frontend part, I would still greatly appreciate implementing the necessary backend changes.
| workspace = db.Column(db.Boolean, nullable=False, default=True) | ||
| immutable = db.Column(db.Boolean, nullable=False, default=False) | ||
|
|
||
| # External Group comming from openid provider |
There was a problem hiding this comment.
| # External Group comming from openid provider | |
| # External group created by OpenID Provider |
| db.ForeignKey("openid_provider.name"), | ||
| nullable=True, | ||
| default=None, | ||
| ) |
There was a problem hiding this comment.
It would be better if FK is set to openid_provider.id because id is the PK (even if name has unique constraint). I see why name was chosen - only name is passed to mwdb.core.oauth.provider.OpenIDProvider object and create_user_groups requires reference to the provider entity. I think it would be better to change the interface of OpenIDProvider object interface instead.
| """ | ||
| return "Registered via OpenID Connect protocol" | ||
|
|
||
| def create_user_groups(self, group_names: list[str]) -> list["Group"]: |
There was a problem hiding this comment.
If we need reference to OpenIDProvider model object to provide a proper foreign key to the group, maybe it would be better to pass it as an argument to this function?
There was a problem hiding this comment.
I move all the group creations (provider specifc group and user groups) into the oauth resource
| "is_oidc_registration_enabled": ( | ||
| app_config.mwdb.enable_oidc_registration | ||
| ), | ||
| "is_oidc_groups_enabled": (app_config.mwdb.enable_oidc_groups), |
There was a problem hiding this comment.
This change is not required. /api/server is used for passing configuration values that are meaningful for client (Web UI or CLI). Right now client doesn't need that information so I would not add it. The change in scheme itself is also missing.
| - MIXED: The OIDC users are only added and removed to the MWDB groups linked to the current OIDC provider. | ||
| It means that a user will keep his local groups whatever the content of his OIDC Token. |
There was a problem hiding this comment.
If I understand the code correctly - in MIXED mode, group is synchronized with OpenID only when it was created by OpenID because the linking is only in OpenIDProvider.create_user_groups. If that's the case, I think that the word "created" better than "linked" describes what is actually managed by MIXED setting.
That behavior is simple but is also a bit limiting because there is no other way to add user to existing groups other than setting FULL mode. Maybe we should allow adding to the groups not created by OpenID if they're matching the regex filter but without removing and without "linking"?
If we want to change that, I think that removing the linking requirement in this part would be enough, but I'm not 100% sure for now.
for new_user_group in new_user_groups:
# Mixed mode
# Add only user to openid groups linked to the current provider
if (
app_config.mwdb.oidc_groups_mode == OIDCGroupManagementMode.MIXED
and new_user_group.openid_provider_name != provider_settings.name
):
continueIt's also better to left it unlinked as it is.
There was a problem hiding this comment.
I didn't want to allow external users to be automatically added to "sensitive" local groups.
For example if the external group names are directly mapped to the internal names it can be a problem.
If the user is in the external admin group it will be automatically added to the admin group of mwdb.
But I guess that the in most of the cases the external groups will be prefixed by something (provider name?)
|
Hello |
Yes it is really better |
dev-cti
force-pushed
the
feature/oidc_groups_management
branch
from
3058ba2 to
6f172ed
Compare
2 participants
Your checklist for this pull request
What is the current behaviour?
The user groups potentially returned during the OIDC login are not used
What is the new behaviour?
The user groups are automatically managed from the groups listed in the OIDC Token.
If these groups don't exist yet, there are automatically created.
The OIDC groups can be filtered using regex to be able to target specific groups if needed
And the group names can be modfied between OIDC and MWDB
Two modes are defined to control how the user groups are finally defined.
It allow "mixed" mode where you can manage user groups with OIDC groups and MWDB groups without conflict
The modes are defined as follow:
The user is added to OIDC groups, default groups, private group, specific provider group and previously added MWDB groups
The user is added to OIDC groups, default groups, private group, specific provider group and removed from previously added MWDB groups
Test plan
Enable the oidc_groups feature and configure your keycloak to return the groups into the OIDC Token.
Configuration:
oidc_groups: 1
oidc_groups_mode: MIXED (default)
oidc_groups_match_pattern: (.*) (default)
oidc_groups_replace_pattern: \1 (default)
Configuration:
oidc_groups: 1
oidc_groups_mode: FULL (default)
oidc_groups_match_pattern: (.*) (default)
oidc_groups_replace_pattern: \1 (default)
The regex filtering and mapping feature using the configuration variables oidc_groups_match_pattern and oidc_groups_replace_pattern has also been tested
Closing issues
closes #1029