[MGNLSSO-45] Improve the parsing of the groups property Created: 08/Feb/21 Updated: 23/Feb/21 Resolved: 23/Feb/21 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.1 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Maxime Michel | Assignee: | Maxime Michel |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Description |
|
In version 1.0.x, the usergroups property lookup was hardcoded. This was a problem for a couple of reasons:
Initial solutionI suggested to lookup the groups property in the following PR: https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/pull-requests/22/overview?commentId=73403 My hope was that by doing this while adding the groups OIDC claim, everything would become clearer, and work. But it didn't actually work. At least in Keycloak, adding the groups claim to the request doesn't add any data if no mapper is configured. Actual solutionAs suggested here: https://www.pac4j.org/docs/clients.html#2-compute-roles-and-permissions Before we map the OIDC user's groups into Magnolia groups, we have to convert the OIDC user's groups into something in his OIDC user profile. (OIDC user: lives in the IDP, OIDC profile: is shared between OIDC and Magnolia during the login process) I have:
|