OCID Authentication and groups
Visto 63 veces
Saltar al primer mensaje no leído
Gabriela
20 mar 2023, 17:10:0720/3/23
a DSpace Technical Support
Hello,
We successfully enabled the OIDC Authentication but I do not see a way to automatically assign new accounts created with OIDC Authentication to a group.
Gabriela
Gabriela
21 mar 2023, 0:27:4921/3/23
a DSpace Technical Support
Am I missing something or there is no way to automatically add new users (created with
OIDC Authentication) to a group ?
Thank you
G
Mark H. Wood
21 mar 2023, 10:08:1921/3/23
a dspac...@googlegroups.com
On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote:
> Am I missing something or there is no way to automatically add new users
> (created with OIDC Authentication) to a group ?
It seems that you are not missing anything: the OIDC authenticator
> Am I missing something or there is no way to automatically add new users
> (created with OIDC Authentication) to a group ?
code always returns an empty list of "special groups." It should be a
very small matter to implement a simple static list of special groups,
but no one has done so.
See also:
https://github.com/DSpace/DSpace/issues/8406
https://github.com/DSpace/DSpace/issues/8405
concerning the more complex problem of mapping OIDC roles to DSpace groups.
> On Monday, March 20, 2023 at 3:10:07 PM UTC-6 Gabriela wrote:
>
> > Hello,
> >
> > We successfully enabled the OIDC Authentication but I do not see a way to
> > automatically assign new accounts created with OIDC Authentication to a
> > group.
> >
> > Gabriela
> >
> >
>
> All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/0577ce8e-0188-4eea-ac0b-95abdb83c444n%40googlegroups.com.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Mark H. Wood
21 mar 2023, 10:26:4721/3/23
a dspac...@googlegroups.com
On Tue, Mar 21, 2023 at 10:08:13AM -0400, Mark H. Wood wrote:
> On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote:
> > Am I missing something or there is no way to automatically add new users
> > (created with OIDC Authentication) to a group ?
I feel a need to address a common misconception. No part of DSpace
> On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote:
> > Am I missing something or there is no way to automatically add new users
> > (created with OIDC Authentication) to a group ?
adds new users to a group. DSpace optionally adds groups to a new
*session* when the user uses a particular authentication method
configured to do so. The user's recorded membership is unaltered, and
you won't ever find those group memberships in the
'epersongroup2eperson' table.
I should also ask you how you want the group assignment to work. Do
you want to use OIDC-mediated user roles to control which groups are
assigned to a session, or do you want to assign a fixed set of groups
to *all* OIDC-authenticated sessions? The latter should be a few
minutes' work; the former requires a bit more.
Gabriela
21 mar 2023, 11:18:3421/3/23
a DSpace Technical Support
Thank you Mark. This is very informative.
I would like to assign a fixed set of groups to *all* OIDC-authenticated sessions.
Best,
G
Gabriela
22 mar 2023, 21:57:1822/3/23
a DSpace Technical Support
Hello Mark,
I tried to
to assign a fixed set of groups to *all* OIDC-authenticated sessions. A few minutes of work, became hours, and I am going around in circles. Any guidance would be very much appreciated.
Best,
G
Mark H. Wood
23 mar 2023, 9:34:2923/3/23
a dspac...@googlegroups.com
On Wed, Mar 22, 2023 at 06:57:18PM -0700, Gabriela wrote:
> I tried to to assign a fixed set of groups to *all* OIDC-authenticated
> sessions. A few minutes of work, became hours, and I am going around in
> circles. Any guidance would be very much appreciated.
I don't have any way to test this, but it compiles:
> I tried to to assign a fixed set of groups to *all* OIDC-authenticated
> sessions. A few minutes of work, became hours, and I am going around in
> circles. Any guidance would be very much appreciated.
diff --git a/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java b/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java
index 8a4ac190c8..53d47fac05 100644
--- a/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java
+++ b/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java
@@ -16,6 +16,8 @@ import static org.apache.commons.lang3.StringUtils.isBlank;
import java.io.UnsupportedEncodingException;
import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@@ -23,13 +25,16 @@ import java.util.Map.Entry;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.dspace.authenticate.oidc.OidcClient;
import org.dspace.authenticate.oidc.model.OidcTokenResponseDTO;
import org.dspace.core.Context;
+import org.dspace.core.LogHelper;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
import org.dspace.eperson.service.EPersonService;
+import org.dspace.eperson.service.GroupService;
import org.dspace.services.ConfigurationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -64,6 +69,9 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
@Autowired
private EPersonService ePersonService;
+ @Autowired
+ private GroupService groupService;
+
@Override
public boolean allowSetPassword(Context context, HttpServletRequest request, String username) throws SQLException {
return false;
@@ -84,8 +92,36 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
}
@Override
- public List<Group> getSpecialGroups(Context context, HttpServletRequest request) throws SQLException {
- return List.of();
+ public List<Group> getSpecialGroups(Context context, HttpServletRequest request)
+ throws SQLException {
+ if (request == null) {
+ return Collections.EMPTY_LIST;
+ }
+
+ List<Group> groups = new ArrayList<>();
+ StringBuilder groupIDs = new StringBuilder();
+ for (String name : configurationService.getArrayProperty(
+ "authentication-oidc.login.specialgroup",
+ ArrayUtils.EMPTY_STRING_ARRAY)) {
+ Group group = groupService.findByName(context, name);
+ if (null != group) {
+ groups.add(group);
+ if (groupIDs.length() > 0) {
+ groupIDs.append(", ");
+ }
+ groupIDs.append(group.getID());
+ } else {
+ LOGGER.warn(LogHelper.getHeader(context, "authenticated",
+ "Unknown special group {} not granted"), name);
+ }
+ }
+
+ if (groupIDs.length() > 0) {
+ LOGGER.debug(LogHelper.getHeader(context, "authenticated",
+ "special_groups={}"), groupIDs.toString());
+ }
+
+ return groups;
}
@Override
diff --git a/dspace/config/modules/authentication-oidc.cfg b/dspace/config/modules/authentication-oidc.cfg
index bbb8489a77..4349df87f2 100644
--- a/dspace/config/modules/authentication-oidc.cfg
+++ b/dspace/config/modules/authentication-oidc.cfg
@@ -45,4 +45,8 @@ authentication-oidc.user-info.email = email
authentication-oidc.user-info.first-name = given_name
#Specify the attribute present in the user info json related to the user's last name
-authentication-oidc.user-info.last-name = family_name
\ No newline at end of file
+authentication-oidc.user-info.last-name = family_name
+
+# Any session which is authenticated using OIDC will be granted membership in
+# these groups.
+#authentication-oidc.login.specialgroup = groupname
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos