-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to restrict user logins properly #8928
Comments
Yeah users not matching the filter will be completely invisible to ocis. But this is how the LDAP_USER_FILTER setting was supposed to work. Without the endless login loop obviously.
[...]
Right. But we'll get there eventually.
|
Compose file to reproduce:
|
Tried to debug this yesterday and got a clue to some extend... not yet fully understood. But most important: web simply doesn't support the combination of |
Just to clarify it a bit, from my side this was never intended to be a critical or security related issue, but IMO to have a properly working and documented way how to limit access to a specific group of users is a very basic must have feature to me as nearly nobody wants to give access to all users of an organization to a tool. |
@kulmann transfer to web? |
Is your feature request related to a problem? Please describe.
Scenario: oCIS with external IDP + LDAP
As an admin, I want to restrict oCIS login to one/multiple dedicated LDAP groups, and it needs to work for the Web client as well as all native clients.
Describe the solution you'd like
Using LDAP user filter
What I have tried so far is to control this via the LDAP user filter in oCIS. This way, oCIS will only "see" users from those groups and only those users can log in:
Problems:
LDAP_USER_FILTER
but allowed to log in to the IDP will end up in an ugly redirect loopUsing role mapping in the external IDP
From the Keycloak docs:
This way LDAP groups can be mapped to oCIS roles (user, admin, space-admin, etc.) and only users with a valid role will be able to log in. AFAIK, oCIS can't handle it yet. As a ref how it could work, we use this with Grafana already as described in the docs https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping
Using Authorization in the external IDP
https://www.keycloak.org/docs/latest/authorization_services/
This way requires a confidential OIDC client, which is AFAIK not supported for Web.
The text was updated successfully, but these errors were encountered: