Brendon/gameyfin
1
0
Fork 0
mirror of https://github.com/BrenBroZAYT/gameyfin.git synced 2026-06-13 16:40:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make OAuth request scopes & roles claim configurable (#689)

Browse Source 
* Request OAuth scope "roles" by default
* Make OAuth request scopes configurable
* Make roles claim configurable
This commit is contained in:
Simon
2025-09-01 13:50:28 +02:00
committed by GitHub
parent 345bd6cd1e
commit a2abac0698
4 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/src/main/frontend/components/administration/SsoManagement.tsx
+8 -1
View File
@@ -49,7 +49,7 @@ function SsoManagementLayout({getConfig, formik, setSaveMessage}: any) {
<ConfigFormField configElement={getConfig("sso.oidc.enabled")}/>
<Section title="SSO user handling"/>
<div className="flex flex-row items-baseline">
<div className="flex flex-row items-baseline mb-4">
<CheckboxGroup className="flex flex-col flex-1 items-baseline gap-2"
value={["auto-register-new-users"]}>
<div className="flex flex-row gap-2">
@@ -70,6 +70,13 @@ function SsoManagementLayout({getConfig, formik, setSaveMessage}: any) {
!formik.values.sso.oidc["auto-register-new-users"]}/>
</div>
<div className="flex flex-row items-center gap-4">
<ConfigFormField configElement={getConfig("sso.oidc.roles-claim")}
isDisabled={!formik.values.sso.oidc.enabled}/>
<ConfigFormField configElement={getConfig("sso.oidc.oauth-scopes")}
isDisabled={!formik.values.sso.oidc.enabled}/>
</div>
<Section title="SSO provider configuration"/>
<ConfigFormField configElement={getConfig("sso.oidc.client-id")}
isDisabled={!formik.values.sso.oidc.enabled}/>
app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt
+14
View File
@@ -147,6 +147,20 @@ sealed class ConfigProperties<T : Serializable>(
true
)
data object RolesClaim : ConfigProperties<String>(
String::class,
"sso.oidc.roles-claim",
"JWT claim to extract roles from",
"roles"
)
data object OAuthScopes : ConfigProperties<Array<String>>(
Array<String>::class,
"sso.oidc.oauth-scopes",
"OAuth2 scopes to request",
arrayOf("openid", "profile", "email", "roles")
)
data object ClientId : ConfigProperties<String>(
String::class,
"sso.oidc.client-id",
app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
+1 -1
View File
@@ -98,7 +98,7 @@ class SecurityConfig(
val clientRegistration = ClientRegistration.withRegistrationId(SSO_PROVIDER_KEY)
.clientId(config.get(ConfigProperties.SSO.OIDC.ClientId))
.clientSecret(config.get(ConfigProperties.SSO.OIDC.ClientSecret))
.scope("openid", "profile", "email")
.scope(config.get(ConfigProperties.SSO.OIDC.OAuthScopes)?.toList())
.userNameAttributeName("preferred_username")
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.issuerUri(config.get(ConfigProperties.SSO.OIDC.IssuerUrl))
app/src/main/kotlin/org/gameyfin/app/users/RoleService.kt
+6 -2
View File
@@ -1,5 +1,7 @@
package org.gameyfin.app.users
import org.gameyfin.app.config.ConfigProperties
import org.gameyfin.app.config.ConfigService
import org.gameyfin.app.core.Role
import org.gameyfin.app.users.entities.User
import org.gameyfin.app.users.persistence.UserRepository
@@ -11,7 +13,8 @@ import org.springframework.stereotype.Service
@Service
class RoleService(
private val userRepository: UserRepository
private val userRepository: UserRepository,
private val configService: ConfigService
) {
companion object {
@@ -66,7 +69,8 @@ class RoleService(
.filterIsInstance<OidcUserAuthority>()
.flatMap { oidcUserAuthority ->
val userInfo = oidcUserAuthority.userInfo
val roles = userInfo.getClaim<List<String>>("roles") ?: return@flatMap emptySequence()
val rolesClaim = configService.get(ConfigProperties.SSO.OIDC.RolesClaim)
val roles = userInfo.getClaim<List<String>>(rolesClaim) ?: return@flatMap emptySequence()
roles.asSequence().mapNotNull {
if (it.startsWith(SSO_ROLE_PREFIX)) SimpleGrantedAuthority(
it.replace(SSO_ROLE_PREFIX, INTERNAL_ROLE_PREFIX)