add OIDC_GROUPS_CLAIM config var

grycap · Nov 8, 2024 · c0a914c · c0a914c
1 parent 86b0363
commit c0a914c
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/IM/InfrastructureManager.py b/IM/InfrastructureManager.py
@@ -1434,10 +1434,7 @@ def check_oidc_token(im_auth):
 
                 if Config.OIDC_GROUPS:
                     # Get user groups from any of the possible fields
-                    user_groups = userinfo.get('groups',  # Generic
-                                               userinfo.get('entitlements',  # GEANT
-                                                            userinfo.get('eduperson_entitlement',  # EGI Check-in
-                                                                         [])))
+                    user_groups = userinfo.get(Config.OIDC_GROUPS_CLAIM, [])
 
                     if not set(Config.OIDC_GROUPS).issubset(user_groups):
                         raise InvaliddUserException("Invalid InfrastructureManager credentials. " +

diff --git a/IM/config.py b/IM/config.py
@@ -107,6 +107,7 @@ class Config:
     OIDC_USER_INFO_PATH = "/userinfo"
     OIDC_INSTROSPECT_PATH = "/introspect"
     OIDC_GROUPS = []
+    OIDC_GROUPS_CLAIM = "groups"
     VM_NUM_USE_CTXT_DIST = 30
     DELAY_BETWEEN_VM_RETRIES = 5
     VERIFI_SSL = False

diff --git a/etc/im.cfg b/etc/im.cfg
@@ -145,6 +145,8 @@ OIDC_ISSUERS = https://aai.egi.eu/auth/realms/egi
 #OIDC_INSTROSPECT_PATH = "/introspect"
 # List of OIDC groups that will be allowed to access the IM service
 #OIDC_GROUPS =
+# Claim where the groups are stored in the OIDC token
+# OIDC_GROUPS_CLAIM = groups
 # Force the users to pass a valid OIDC token
 #FORCE_OIDC_AUTH = False