mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-21 22:22:15 +01:00
* Api/Auth/OpenIDConnect: allow to specify which JWT payload attribute to use and a regular expression to extract username from it
This commit is contained in:
parent
d6c8584ae9
commit
1c0719cb7c
@ -44,32 +44,51 @@ class Openidconnect implements BackendSSO
|
||||
//error_log(__METHOD__."() session_status()=".session_status().", _SESSION=".json_encode($_SESSION));
|
||||
$this->client->authenticate();
|
||||
|
||||
$account_lid = $this->client->getVerifiedClaims('sub');
|
||||
// use configured payload attribute / claim, defaulting to "sub"
|
||||
$attribute = ($GLOBALS['egw_info']['server']['oic_username_attribute'] ?? 'sub');
|
||||
if ($attribute === 'custom' && !empty($GLOBALS['egw_info']['server']['oic_username_custom']))
|
||||
{
|
||||
$attribute = $GLOBALS['egw_info']['server']['oic_username_custom'];
|
||||
}
|
||||
$account_lid = $this->client->getVerifiedClaims($attribute);
|
||||
// extract username with regular expression, if configured and matching
|
||||
if (!empty($GLOBALS['egw_info']['server']['oic_username_preg']) && preg_match($GLOBALS['egw_info']['server']['oic_username_preg'], $account_lid))
|
||||
{
|
||||
$account_lid = preg_replace($GLOBALS['egw_info']['server']['oic_username_preg'], '$1', $account_lid);
|
||||
}
|
||||
$accounts = Api\Accounts::getInstance();
|
||||
if (!$accounts->name2id($account_lid, 'account_lid', 'u'))
|
||||
{
|
||||
// fail if auto-creation of authenticated users is NOT configured
|
||||
if (empty($GLOBALS['egw_info']['server']['auto_create_acct']))
|
||||
// for attribute="email" check, if we have user with given email
|
||||
if ($attribute === 'email' && ($account_id = $accounts->name2id($account_lid, 'account_email', 'u')))
|
||||
{
|
||||
error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!");
|
||||
$_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
|
||||
return null;
|
||||
$account_lid = Api\Accounts::id2name($account_id);
|
||||
}
|
||||
try {
|
||||
$user_info = $this->client->requestUserInfo();
|
||||
$GLOBALS['auto_create_acct'] = [
|
||||
'firstname' => $user_info->given_name,
|
||||
'lastname' => $user_info->family_name,
|
||||
'email' => $user_info->email,
|
||||
// not (yet) used supported keys
|
||||
//'primary_group' => '',
|
||||
//'add_group' => '',
|
||||
//'account_id' => 0,
|
||||
];
|
||||
}
|
||||
catch (OpenIDConnectClientException $e) {
|
||||
// do NOT fail, if IdP does not support user-info
|
||||
_egw_log_exception($e);
|
||||
else
|
||||
{
|
||||
// fail if auto-creation of authenticated users is NOT configured
|
||||
if (empty($GLOBALS['egw_info']['server']['auto_create_acct']))
|
||||
{
|
||||
error_log(__METHOD__."() OpenIDConnect login successful, but user '$account_lid' does NOT exist in EGroupware, AND automatic user creating is disabled!");
|
||||
$_GET['cd'] = lang("OpenIDConnect login successful, but user '%1' does NOT exist in EGroupware, AND automatic user creating is disabled!", $account_lid);
|
||||
return null;
|
||||
}
|
||||
try {
|
||||
$user_info = $this->client->requestUserInfo();
|
||||
$GLOBALS['auto_create_acct'] = [
|
||||
'firstname' => $user_info->given_name,
|
||||
'lastname' => $user_info->family_name,
|
||||
'email' => $user_info->email,
|
||||
// not (yet) used supported keys
|
||||
//'primary_group' => '',
|
||||
//'add_group' => '',
|
||||
//'account_id' => 0,
|
||||
];
|
||||
}
|
||||
catch (OpenIDConnectClientException $e) {
|
||||
// do NOT fail, if IdP does not support user-info
|
||||
_egw_log_exception($e);
|
||||
}
|
||||
}
|
||||
}
|
||||
// return user session
|
||||
|
@ -218,6 +218,7 @@ current system-charset setup de Aktueller Systemzeichensatz
|
||||
current system-charset is %1. setup de Aktueller Systemzeichensatz ist %1.
|
||||
current version setup de Gegenwärtige Version
|
||||
currently installed languages: %1 <br /> setup de Gegenwärtig installierte Sprachen: %1 <br>
|
||||
custom attribute setup de Benutzerdefiniertes Attribute
|
||||
custom handler: %1 setup de Eigener Sitzunghandler: %1
|
||||
custom oid setup de Benutzerdefinierte OID
|
||||
custom set via %1 setup de Benutzerdefiniert über "%1" gesetzt
|
||||
@ -486,6 +487,7 @@ multi-language support setup setup de Mehr-Sprachen Unterstützung einrichten
|
||||
name for service provider setup de Name des Service Provider / Dienstes
|
||||
name of database setup de Name der Datenbank
|
||||
name of db user egroupware uses to connect setup de Name des Datenbank-Benutzers den EGroupware verwendet
|
||||
name of jwt payload attribute for username setup de Name des JWT Nutzdaten Attributes für den Benutzername
|
||||
needs extra configuration on dc and webserver! setup de Benötigt extra Konfiguration auf Domain Controller und Webserver!
|
||||
never setup de Niemals
|
||||
new setup de Neu
|
||||
@ -540,6 +542,7 @@ path to user and group files has to be outside of the webservers document-root!!
|
||||
path to various directories: have to exist and be writeable by the webserver setup de Pfade zu verschiedenen Verzeichnissen: Diese müssen vorhanden sein und vom Webserver beschreibbar
|
||||
pem certificate setup de PEM Zertifikat
|
||||
periodic import from ads or ldap into egroupware database setup de Periodischer Import von ADS oder LDAP in die EGroupware Datenbank
|
||||
perl regular expression to extract username setup de Perl Regulärer Ausdruck um Benutzernamen to extrahieren
|
||||
persistent connections setup de Permanente Verbindungen
|
||||
php client setup de PHP Client
|
||||
php proxy setup de PHP Proxy
|
||||
|
@ -218,6 +218,7 @@ current system-charset setup en Current system charset
|
||||
current system-charset is %1. setup en Current system charset is %1.
|
||||
current version setup en Current version
|
||||
currently installed languages: %1 <br /> setup en Currently installed languages: %1<br>
|
||||
custom attribute setup en custom attribute
|
||||
custom handler: %1 setup en Custom handler: %1
|
||||
custom oid setup en custom OID
|
||||
custom set via %1 setup en Custom set via %1
|
||||
@ -486,6 +487,7 @@ multi-language support setup setup en Multi language support setup
|
||||
name for service provider setup en Name for Service Provider
|
||||
name of database setup en Name of database
|
||||
name of db user egroupware uses to connect setup en Name of db user EGroupware uses to connect
|
||||
name of jwt payload attribute for username setup en Name of JWT payload attribute for username
|
||||
needs extra configuration on dc and webserver! setup en Needs extra configuration on DC and webserver!
|
||||
never setup en Never
|
||||
new setup en New
|
||||
@ -519,6 +521,7 @@ one month setup en One month
|
||||
one week setup en One week
|
||||
only add languages that are not in the database already setup en Only add languages that are not in the database already
|
||||
only add new phrases setup en Only add new phrases
|
||||
openidconnect login setup en OpenIDConnect Login
|
||||
optional, if only authentication and anonymous search is enabled setup en optional, if only authentication AND anonymous search is enabled
|
||||
or setup en or
|
||||
or %1continue to the header admin%2 setup en or %1Continue to the Header Admin%2
|
||||
@ -540,6 +543,7 @@ path to user and group files has to be outside of the webservers document-root!!
|
||||
path to various directories: have to exist and be writeable by the webserver setup en Path to various directories: have to exist and be writable by the web server
|
||||
pem certificate setup en PEM certificate
|
||||
periodic import from ads or ldap into egroupware database setup en Periodic import from ADS or LDAP into EGroupware database
|
||||
perl regular expression to extract username setup en Perl regular expression to extract username
|
||||
persistent connections setup en Persistent connections
|
||||
php client setup en PHP client
|
||||
php proxy setup en PHP proxy
|
||||
|
@ -493,6 +493,22 @@
|
||||
<td>{lang_Client_secret}:</td>
|
||||
<td><input type="password" name="newsettings[oic_client_secret]" value="{value_oic_client_secret}" size="40" /></td>
|
||||
</tr>
|
||||
<tr class="row_on">
|
||||
<td>{lang_Name_of_JWT_payload_attribute_for_username}:</td>
|
||||
<td>
|
||||
<select name="newsettings[oic_username_attribute]">
|
||||
<option value="sub"{selected_oic_username_sub}>sub ({lang_default})</option>
|
||||
<option value="prefered_username"{selected_oic_username_prefered_username}>prefered_username</option>
|
||||
<option value="email"{selected_oic_username_email}>email</option>
|
||||
<option value="custom"{selected_oic_username_custom}>{lang_custom_attribute}</option>
|
||||
</select>
|
||||
<input name="newsettings[oic_username_custom]" value="{value_oic_username_custom}" size="40" placeholder="{lang_custom_attribute}"/>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="row_off">
|
||||
<td>{lang_Perl_regular_expression_to_extract_username}</td>
|
||||
<td><input name="newsettings[oic_username_preg]" value="{value_oic_username_preg}" size="40" placeholder="/^(.*)$/"/></td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_off">
|
||||
<td colspan="2"> </td>
|
||||
|
Loading…
Reference in New Issue
Block a user