From c0a914c6af0540438f0c47cbd8f87d9e1830ab40 Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 8 Nov 2024 08:53:35 +0100 Subject: [PATCH] add OIDC_GROUPS_CLAIM config var --- IM/InfrastructureManager.py | 5 +---- IM/config.py | 1 + etc/im.cfg | 2 ++ 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/IM/InfrastructureManager.py b/IM/InfrastructureManager.py index c7adc89f..ff3213a4 100644 --- a/IM/InfrastructureManager.py +++ b/IM/InfrastructureManager.py @@ -1434,10 +1434,7 @@ def check_oidc_token(im_auth): if Config.OIDC_GROUPS: # Get user groups from any of the possible fields - user_groups = userinfo.get('groups', # Generic - userinfo.get('entitlements', # GEANT - userinfo.get('eduperson_entitlement', # EGI Check-in - []))) + user_groups = userinfo.get(Config.OIDC_GROUPS_CLAIM, []) if not set(Config.OIDC_GROUPS).issubset(user_groups): raise InvaliddUserException("Invalid InfrastructureManager credentials. " + diff --git a/IM/config.py b/IM/config.py index 3f5c9602..80478fa2 100644 --- a/IM/config.py +++ b/IM/config.py @@ -107,6 +107,7 @@ class Config: OIDC_USER_INFO_PATH = "/userinfo" OIDC_INSTROSPECT_PATH = "/introspect" OIDC_GROUPS = [] + OIDC_GROUPS_CLAIM = "groups" VM_NUM_USE_CTXT_DIST = 30 DELAY_BETWEEN_VM_RETRIES = 5 VERIFI_SSL = False diff --git a/etc/im.cfg b/etc/im.cfg index 6e1d5ff5..ab6037c3 100644 --- a/etc/im.cfg +++ b/etc/im.cfg @@ -145,6 +145,8 @@ OIDC_ISSUERS = https://aai.egi.eu/auth/realms/egi #OIDC_INSTROSPECT_PATH = "/introspect" # List of OIDC groups that will be allowed to access the IM service #OIDC_GROUPS = +# Claim where the groups are stored in the OIDC token +# OIDC_GROUPS_CLAIM = groups # Force the users to pass a valid OIDC token #FORCE_OIDC_AUTH = False