Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Claim-based login authorization #66

Open
smoehrle opened this issue Jan 28, 2023 · 1 comment
Open

Claim-based login authorization #66

smoehrle opened this issue Jan 28, 2023 · 1 comment
Labels
enhancement help wanted

Comments

@smoehrle
Copy link

Would it be possible to have an additional setting like "require_attribute"? Before the user can log in, it is checked if the required attribute is present in the claim. If this check fails, the user is not able to login. This way not all users within a realm in your keycloak would be able to access sonar.

(To the best of my knowledge) Currently our OIDC-provider (keycloak) can only authenticate and all users are automatically authorized to login. There is no option to deny access to users within a realm. With this new option sonar could explicitly authorize users to connect to the service.
@tjuerge
Copy link
Contributor

tjuerge commented May 7, 2023

This could be implemented in OidcIdentityProvider.callback() by checking the UserInfo's underlying ClaimSet for the existance of the "require_attribute" (via UserInfo.getClaim(config.getRequireAttribute())). If the claim is not present the authentication workflow is stopped with an IllegalStateException.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tjuerge @smoehrle