Skip to content

chore: add query to fetch top level idp claim fields #15525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 18, 2024
Merged

chore: add query to fetch top level idp claim fields #15525

merged 10 commits into from
Nov 18, 2024

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Nov 14, 2024
edited
Loading

Supports coder/internal#210

Adds an api endpoint to grab all available sync field options for IDP sync. This is for autocomplete on idp sync forms. This is required for organization admins to have some insight into the claim fields available when configuring group/role sync.

Given claims such as:

{
   "merged_claims":{
      "hd":"...",
      "aud":"...",
      "azp":"...",
      "iss":"...",
      "sub":"115135273038497292934",
      "name":"Alice",
      "email":"alice@example.com",
      "at_hash":"...",
      "given_name":"Alice",
      "family_name":"Smith",
      "groups":[
         "developers",
         "cyclists"
      ],
      "roles":[
         "coder-engineer"
      ],
      "email_verified":true
   }
}

This query returns: ["hd", "aud", "azp", "iss", "sub", "name", "email", "at_hash", "given_name", "family_name", "groups", "roles", "email_verified"]

@Emyrk Emyrk requested a review from f0ssel November 14, 2024 21:44
@Emyrk Emyrk marked this pull request as draft November 18, 2024 16:55
@Emyrk
Copy link
Member Author

Emyrk commented Nov 18, 2024
edited
Loading

I am going to simplify this query by merging the claims in Go before sending here. It will be more accurate too, as merged claims do override userinfo if present in id_token

Done. Uses 1 merged_claims field now instead.

@Emyrk Emyrk mentioned this pull request Nov 18, 2024
Merged
@Emyrk Emyrk force-pushed the stevenmasley/user_link_claim_list branch from 664e734 to 2dae39b Compare November 18, 2024 18:09
@Emyrk Emyrk marked this pull request as ready for review November 18, 2024 18:17
f0ssel
f0ssel approved these changes Nov 18, 2024
View reviewed changes
coderd/database/queries/user_links.sql
Comment on lines +62 to +68
-- name: OIDCClaimFields :many
-- OIDCClaimFields returns a list of distinct keys in the the merged_claims fields.
-- This query is used to generate the list of available sync fields for idp sync settings.
SELECT
DISTINCT jsonb_object_keys(claims->'merged_claims')
FROM
user_links
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To confirm, this data comes from the claims we get from user links, so a new user log in with claims we haven't seen before it would add to this list and next time this endpoint is hit it would have new data?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct 👍

enterprise/coderd/idpsync.go
// @Param organization path string true "Organization ID" format(uuid)
// @Success 200 {array} string
// @Router /settings/idpsync/available-fields [get]
func (api *API) deploymentIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need a deployment level endpoint again?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Organization sync is configured by deployment level admins (user-admins and owner). They configure IDP sync based on all users in the deployment.

The RBAC permissions prevent org admins from hitting the deployment wide api.

@Emyrk Emyrk merged commit c3c23ed into main Nov 18, 2024
30 checks passed
@Emyrk Emyrk deleted the stevenmasley/user_link_claim_list branch November 18, 2024 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@f0ssel f0ssel f0ssel approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Emyrk @f0ssel