Make use of roles when using OIDC

[luketainton]

• Gitea version (or commit ref): 1.10.3
• Git version: N/A
• Operating system: Linux (Docker)
• Database:
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

We use Keycloak as our SSO system and Gitea uses this via OAuth2 (OIDC) to authenticate users. We have roles (admin/user) set up on Keycloak that are assigned to users. Is there a way to have Gitea assign admin rights to users if they have the 'admin' role?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[Breee]

We would need such a feature as well.

gitea/routers/user/auth_openid.go

Line 320 in 76053ac

func RegisterOpenID(ctx *context.Context) {

Here I see that username and password is extracted.

We are using Keycloak and our use case is the following:

We have Organisations and Teams.
If a new user registers using OIDC, we want to assign him one or more Organizations and one or more Teams.

Do you think that is possible?

[marcpopp]

Ẃe could use this feature, too.

[lunny]

We need a uniform authorization synchronize mechanism for LDAP, OIDC or others.

[Morriz]

Harbor has it out of the box. You just provide it the name of the admin group in the OIDC groups claim for admins to be recognized. Teams can be given an OIDC group as well, so that incoming OIDC users can later be mapped.

I don't believe they "sync" users but map them from their OIDC connector, so their db is empty of users.

[Jamesits]

Having a consistent, unified source of identity and permission would be very convenient when working with a large group of people. This can be implemented with 2 steps:

1. Save the roles/groups a user is in and update them (for LDAP sync, update them every few minutes; for OAuth2, update during user login)
2. Allow groups/projects in Gitea to have permission assigned to a role

I'd like to contribute a little if there is a plan from Gitea developers to implement this.

[indiketa]

We need this functionality to be able to allow login or not depending on a claim value in the access token.

In our case, we use oauth2_client account auto registration but we don't want it to happen if the access token does not have a specific claim.

I have spent some time this afternoon on a proof of concept:

To make something as flexible as possible we added two new parameters in the app.ini file:

;;
;; Allow login only if access token has the following claim.
;; If claim value config parameter is not set, the login will be
;; allowed only with the presence of the claim in the access token.
;;ALLOW_LOGIN_CLAIM_NAME =
;;
;; Allow login only if the ALLOW_LOGIN_CLAIM_NAME has this value
;; No effect if claim name is not set
;; Access token value can be a single string or an array
;;ALLOW_LOGIN_CLAIM_VALUE =

Do you think is it worth doing this way?
indiketa@bd8fe3f
indiketa@f700084
indiketa@4e18d0f