Skip to content

feat: add group allowlist for oidc #11070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Dec 8, 2023
Merged

feat: add group allowlist for oidc #11070

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
726e7b1
chore: use httpError to allow better error elevation
Emyrk Dec 6, 2023
db5a8aa
feat: group allow list in OIDC settings
Emyrk Dec 6, 2023
524aced
add unit test
Emyrk Dec 6, 2023
75d1202
revert test
Emyrk Dec 6, 2023
217aa54
Add unit test
Emyrk Dec 6, 2023
8a871d7
update golden files
Emyrk Dec 6, 2023
a9a740a
Make gen
Emyrk Dec 6, 2023
80208a7
make group allowlist a map in the outright
Emyrk Dec 7, 2023
58551ef
Drop log line on failed login due to group allowlist
Emyrk Dec 7, 2023
17db1e3
Merge remote-tracking branch 'origin/main' into stevenmasley/oidc_all…
Emyrk Dec 7, 2023
586a67c
Forgot to update and fix the unit test
Emyrk Dec 7, 2023
025b48d
Update golden files
Emyrk Dec 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update golden files
  • Loading branch information
@Emyrk
Emyrk committed Dec 6, 2023
commit 8a871d737fd091002fb4f8774e1acdef73a4fecc
6 changes: 6 additions & 0 deletions cli/testdata/coder_server_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,12 @@ OIDC OPTIONS:
--oidc-allow-signups bool, $CODER_OIDC_ALLOW_SIGNUPS (default: true)
Whether new users can sign up with OIDC.

--oidc-allowed-groups string-array, $CODER_OIDC_ALLOWED_GROUPS
If provided any group name not in the list will not be allowed to
authenticate. This allows for restricting access to a specific set of
groups. This filter is applied after the group mapping and before the
regex filter.

--oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
OIDC auth URL parameters to pass to the upstream provider.

Expand Down
5 changes: 5 additions & 0 deletions cli/testdata/server-config.yaml.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,11 @@ oidc:
# mapping.
# (default: .*, type: regexp)
groupRegexFilter: .*
# If provided any group name not in the list will not be allowed to authenticate.
# This allows for restricting access to a specific set of groups. This filter is
# applied after the group mapping and before the regex filter.
# (default: <unset>, type: string-array)
groupAllowed: []
# This field must be set if using the user roles sync feature. Set this to the
# name of the claim used to store the user's role. The roles should be sent as an
# array of strings.
Expand Down
4 changes: 2 additions & 2 deletions coderd/userauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1061,9 +1061,9 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac
}

if !inAllowList {
detail := fmt.Sprintf("Ask an administrator to add one of your groups to the whitelist: %s", strings.Join(groups, ", "))
detail := fmt.Sprintf("Ask an administrator to add one of your groups (%s) to the whitelist", strings.Join(groups, ", "))
if len(groups) == 0 {
detail = "You are currently not a member of any groups!"
detail = "You are currently not a member of any groups! Ask an administrator to add you to an authorized group to login."
}
return usingGroups, groups, &httpError{
code: http.StatusForbidden,
Expand Down