<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 10:50:35 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLSSO-45] Improve the parsing of the groups property</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLSSO-45</link>
                <project id="15486" key="MGNLSSO">Single Sign On</project>
                    <description>&lt;p&gt;In version 1.0.x, the &lt;tt&gt;usergroups&lt;/tt&gt;&#160;property lookup was hardcoded. This was a problem for a couple of reasons:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;tt&gt;usergroups&lt;/tt&gt;&#160;is, I believe, Microsoft terminology, that we inherited from the previous version of the module; OIDC tends to favor &lt;tt&gt;groups&lt;/tt&gt; (see &lt;a href=&quot;https://developer.okta.com/docs/guides/customize-tokens-groups-claim/add-groups-claim-org-as/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;, &lt;a href=&quot;https://github.com/keycloak/keycloak-documentation/blob/bce56fe5c044a3a91af644a58c49ed8304b2f4f1/securing_apps/topics/oidc/keycloak-gatekeeper.adoc#group-claims&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt; or &lt;a href=&quot;https://developer.okta.com/docs/reference/api/oidc/#scopes&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;)&lt;/li&gt;
	&lt;li&gt;the fact that we had to hardcode it meant the module had no flexibility&lt;/li&gt;
	&lt;li&gt;for an external user, the error message was unclear when setting things up&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;&lt;a name=&quot;Initialsolution&quot;&gt;&lt;/a&gt;Initial solution&lt;/h2&gt;

&lt;p&gt;I suggested to lookup the&#160;&lt;tt&gt;groups&lt;/tt&gt;&#160;property in the following PR: &lt;a href=&quot;https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/pull-requests/22/overview?commentId=73403&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/pull-requests/22/overview?commentId=73403&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;My hope was that by doing this while adding the &lt;tt&gt;groups&lt;/tt&gt; OIDC claim, everything would become clearer, and work. But it didn&apos;t actually work. At least in Keycloak, adding the &lt;tt&gt;groups&lt;/tt&gt; claim to the request doesn&apos;t add any data if no mapper is configured.&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;Actualsolution&quot;&gt;&lt;/a&gt;Actual solution&lt;/h2&gt;

&lt;p&gt;As suggested here: &lt;a href=&quot;https://www.pac4j.org/docs/clients.html#2-compute-roles-and-permissions&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.pac4j.org/docs/clients.html#2-compute-roles-and-permissions&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Before we map the OIDC user&apos;s groups into Magnolia groups, we have to convert the OIDC user&apos;s groups into &lt;em&gt;something&lt;/em&gt;&#160;in his OIDC user profile. (OIDC user: lives in the IDP, OIDC profile: is shared between OIDC and Magnolia during the login process)&lt;/p&gt;

&lt;p&gt;I have:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;opted to use OIDC profile roles instead of groups, because there is standard API for this (solving the hardcoded value problem)&lt;/li&gt;
	&lt;li&gt;decided to implement an &lt;tt&gt;AuthorizationGenerator&lt;/tt&gt; to streamline the code as well as give us the chance to warn the user with a relevant message at every step of the way (see screenshot)&lt;/li&gt;
	&lt;li&gt;decided to stay with looking up the &lt;tt&gt;groups&lt;/tt&gt; property. This is a convention and we would rather have users follow it (which can easily be done at least in Okta and Keycloak), rather than allow too many use cases&lt;/li&gt;
	&lt;li&gt;we can always revisit this in future iterations&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="95734">MGNLSSO-45</key>
            <summary>Improve the parsing of the groups property</summary>
                <type id="3" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10898&amp;avatarType=issuetype">Task</type>
                                            <priority id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/neutral.gif">Neutral</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="11">Done</resolution>
                                        <assignee username="mmichel">Maxime Michel</assignee>
                                    <reporter username="mmichel">Maxime Michel</reporter>
                        <labels>
                    </labels>
                <created>Mon, 8 Feb 2021 12:20:25 +0100</created>
                <updated>Tue, 23 Feb 2021 12:10:11 +0100</updated>
                            <resolved>Tue, 23 Feb 2021 12:10:11 +0100</resolved>
                                                    <fixVersion>1.1</fixVersion>
                                        <due></due>
                            <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                        <attachments>
                            <attachment id="76148" name="Screenshot 2021-02-11 at 12.28.02.png" size="143345" author="mmichel" created="Thu, 11 Feb 2021 12:50:50 +0100"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>mmichel</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            3 years, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>mmichel</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|y049im:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_14167" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Task DoR</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_13933" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Urgency (resolution)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15724"><![CDATA[Normal]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>