diff --git a/app/src/main/frontend/components/administration/SsoManagement.tsx b/app/src/main/frontend/components/administration/SsoManagement.tsx index 7db75e9..f873d8b 100644 --- a/app/src/main/frontend/components/administration/SsoManagement.tsx +++ b/app/src/main/frontend/components/administration/SsoManagement.tsx @@ -49,7 +49,7 @@ function SsoManagementLayout({getConfig, formik, setSaveMessage}: any) {
-
+
@@ -70,6 +70,13 @@ function SsoManagementLayout({getConfig, formik, setSaveMessage}: any) { !formik.values.sso.oidc["auto-register-new-users"]}/>
+
+ + +
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt b/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt index 23e928e..a65cf0a 100644 --- a/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt +++ b/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt @@ -147,6 +147,20 @@ sealed class ConfigProperties( true ) + data object RolesClaim : ConfigProperties( + String::class, + "sso.oidc.roles-claim", + "JWT claim to extract roles from", + "roles" + ) + + data object OAuthScopes : ConfigProperties>( + Array::class, + "sso.oidc.oauth-scopes", + "OAuth2 scopes to request", + arrayOf("openid", "profile", "email", "roles") + ) + data object ClientId : ConfigProperties( String::class, "sso.oidc.client-id", diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt index 08df09c..3caaa62 100644 --- a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt +++ b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt @@ -98,7 +98,7 @@ class SecurityConfig( val clientRegistration = ClientRegistration.withRegistrationId(SSO_PROVIDER_KEY) .clientId(config.get(ConfigProperties.SSO.OIDC.ClientId)) .clientSecret(config.get(ConfigProperties.SSO.OIDC.ClientSecret)) - .scope("openid", "profile", "email") + .scope(config.get(ConfigProperties.SSO.OIDC.OAuthScopes)?.toList()) .userNameAttributeName("preferred_username") .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .issuerUri(config.get(ConfigProperties.SSO.OIDC.IssuerUrl)) diff --git a/app/src/main/kotlin/org/gameyfin/app/users/RoleService.kt b/app/src/main/kotlin/org/gameyfin/app/users/RoleService.kt index d5feeef..c729574 100644 --- a/app/src/main/kotlin/org/gameyfin/app/users/RoleService.kt +++ b/app/src/main/kotlin/org/gameyfin/app/users/RoleService.kt @@ -1,5 +1,7 @@ package org.gameyfin.app.users +import org.gameyfin.app.config.ConfigProperties +import org.gameyfin.app.config.ConfigService import org.gameyfin.app.core.Role import org.gameyfin.app.users.entities.User import org.gameyfin.app.users.persistence.UserRepository @@ -11,7 +13,8 @@ import org.springframework.stereotype.Service @Service class RoleService( - private val userRepository: UserRepository + private val userRepository: UserRepository, + private val configService: ConfigService ) { companion object { @@ -66,7 +69,8 @@ class RoleService( .filterIsInstance() .flatMap { oidcUserAuthority -> val userInfo = oidcUserAuthority.userInfo - val roles = userInfo.getClaim>("roles") ?: return@flatMap emptySequence() + val rolesClaim = configService.get(ConfigProperties.SSO.OIDC.RolesClaim) + val roles = userInfo.getClaim>(rolesClaim) ?: return@flatMap emptySequence() roles.asSequence().mapNotNull { if (it.startsWith(SSO_ROLE_PREFIX)) SimpleGrantedAuthority( it.replace(SSO_ROLE_PREFIX, INTERNAL_ROLE_PREFIX)