Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom claim support #90

Closed
wants to merge 16 commits into from
Closed

Custom claim support #90

wants to merge 16 commits into from

Conversation

artagel
Copy link
Contributor

@artagel artagel commented Apr 2, 2019

This branch adds the following capabilities:

  • Parsing of 'claims' from OIDC providers into a new map in the userstruct called MappedClaims
  • A claims config item to allow a user to specify which claims they would like to store (instead of storing all claims)
  • A globalClaimWhiteList config item to allow users to set global whitelists based on anything in the user struct, including custom mapped claims (This may be able to replace the whiteList option, since we can also globally check authorization based on username/email since it is in the user struct)
  • An authorization config item to allow users to set authorization per host(application) being proxied by anything in the user struct, including custom claims.
  • An addition to the headers config item called mappedClaims that allows a user to map the values of claims into headers passed to nginx. This now provides complete dynamic header->claim mapping for users. ( I believe this fixes Passing original JWT through as a header #43, Not able set additional claims to Ngnix proxy header #80, and Other data from IdP call to be made available in headers #27).

I have not been able to test the claims parsing for indie auth, google, or github. But is has been tested for generic OIDC (Using Keycloak) and ADFS.

artagel added 16 commits March 30, 2019 10:05
@artagel
Logrus (https://github.com/sirupsen/logrus) has specified that their …
5e0845e 
…imports should use the lowercase sirupsen. See paragraph two of their README.
@artagel
Merge pull request #1 from vouch/master
44c8b6e 
Pull from master on vouch project
@artagel
Add configuration handling for new fields:
3b2f936 
claims
and header->mappedclaims
@artagel
Merge branch 'change_logrus_imports' into custom_claim_support
3a0e806 
# Conflicts:
#	handlers/handlers.go
@artagel
Remove logline
de045a8
@artagel
Add mapclaims function to map the claims the admin wants to track int…
d75b0e3 
…o the User struct.

Add MappedClaims to User struct.
@artagel
Add the custom claims to the JWT.
88f4da3
@artagel
Parse custom headers and add them to the validate function return.
14d8c05
@artagel
Add support for GobalClaimWhiteLIst and Authorization config items.
b52e544
@artagel
Add support for verifying users by the GlobalClaimWhiteList.
f8a964c
@artagel
Remove extra log messages.
f997192
@artagel
Add authentication functions for host based authentication and global…
1095e78 
… whitelist authentication based on claims.
@artagel
Update config example with new options.
4d2778e
@artagel
Make mapped claims work with adfs
051d50a
@artagel
Add mapclaims support to other providers (not currently tested)
0182d92
@artagel
Updated README to add example for custom claims in NGINX headers.
d7066b1
@artagel
Copy link
Contributor Author

artagel commented Apr 5, 2019

Any questions on this one?

@bnfinet
Copy link
Member

bnfinet commented Apr 5, 2019

@artagel thanks for the contribution and the nudge. I very much appreciate the interest in Vouch Proxy and the effort in improving the code base.

I've been considering how best to respond to this. I'd like to work with you to split this PR into several discreet items.

I see these features, each of which should be separated out...

  • /validate returns headers with claims
  • /validate authorization per host based on claims in jwt
  • globalClaimWhiteList for any claim
  • configure which claims to store

However, even before we get to the code, I'd like to discuss the concepts with you in separate issues and talk about design in both code and config. In general for concepts of this impact it'd be best to propose functionality before coding an implementation.

Please do open issues for each of these concepts. Its tempting to discuss those concepts here and direct you towards other code and thought that has already been conducted but that's better done in an issue. That will also make it easier to draw in other contributors to the project and solicit their opinion on the design.

I'm going to close this PR for now.

But let me clear, I do appreciate what you're heading towards here and I look forward to working with you to add this functionality to Vouch Proxy.

@bnfinet bnfinet closed this Apr 5, 2019
@bnfinet bnfinet mentioned this pull request Apr 9, 2019
Closed
@RainerGanss
Copy link

@bnfinet would it be possible to link the created issues to this one? This is the first google hit and I could not find the corresponding issues unfortunately.

@bnfinet
Copy link
Member

bnfinet commented Aug 28, 2020

I think #102 #95 and #97 are relevant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Passing original JWT through as a header
3 participants
@artagel @bnfinet @RainerGanss