Skip to content

feat: Support for mapping remote user auth claims to user attributes #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rizlas wants to merge 2 commits into
base: stable
Choose a base branch
from
Open

feat: Support for mapping remote user auth claims to user attributes #365

rizlas wants to merge 2 commits into from

Conversation

@rizlas
Copy link

@rizlas rizlas commented Jun 29, 2023
edited
Loading

Hi,
this PR aim to close #208. Requested changes in #208 have been implemented. This will now support not only shibboleth but any remote user based authentication (e.g oidc) as long as claims are passed via http headers.

This settings represent the mapping between user field and http headers.
As stated in #208 it is also possible to define multiple headers that you can receive a value from (e.g. RealName).

Of course if WebRemoteUserAuth and WebRemoteUserAutocreate are disabled, RemoteUserHeaders will be ignored.

# See lib/RT/User.pm for RT possibile mapping fields
Set($RemoteUserHeaders,
    {
        'attributes_map' => {
            'Name'          => ['HTTP_USERNAME'],
            'EmailAddress'  => ['HTTP_MAIL'],
            'RealName'      => ['HTTP_DISPLAYNAME','HTTP_CN','HTTP_GIVENNAME'],
            'Gecos'         => ['HTTP_SURNAME'],
        }
    }
);

Apache example of setting environment variable is:

ProxyFCGISetEnvIf "true" HTTP_DISPLAYNAME "%{reqenv:OIDC_CLAIM_name}"

Thank you

@einar
Copy link

einar commented Jun 29, 2023

Hi @rizlas, nice to see someone using this. :) Just FYI I will be quite limited in helping out to get this merged as I have not touched any perl since 2017 and currently delve in infrastructure so I no longer have any access to any testing environment(s). Would be great if it could be merged though with your (or RT's) help as I still consider RT to be one of the best ticket-trackers there is and it's sad to keep this out of master/stable.

@rizlas
Copy link
Author

rizlas commented Jun 29, 2023

Hi, yeah it is really helpful for remote user based auth.
I've never written perl till today, I just tweaked your original PR 🤣

I didn't include the utf8 fix that I read in your dockerization (https://github.com/SUNET/docker-rt-swamid/blob/master/Web.pm.patch#L47). However, in the absence of an equivalent function, I believe that that should be added too.

@einar
Copy link

einar commented Jun 29, 2023

You do need it unless you expect only strict ascii-users (which never happens, there's always some random chars in names). :) Names will misbehave unless you keep the utf8-line.

@rizlas
Copy link
Author

rizlas commented Jun 29, 2023

(which never happens, there's always some random chars in names)

Yeah, that's why for me it should be included 😆 But maybe there is already a helper function that does utf8 conversion.

@rizlas rizlas mentioned this pull request Dec 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rizlas @einar