dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Dan Milne
2025-11-04 13:21:55 +11:00
parent 4d1bc1ab66
commit ef15db77f9
46 changed files with 341 additions and 2917 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
app/services/oidc_jwt_service.rb
View File

@@ -27,11 +27,14 @@ class OidcJwtService
# Add admin claim if user is admin
payload[:admin] = true if user.admin?
# Add role-based claims if role mapping is enabled
if application.role_mapping_enabled?
add_role_claims!(payload, user, application)
# Merge custom claims from groups
user.groups.each do |group|
payload.merge!(group.parsed_custom_claims)
end
# Merge custom claims from user (overrides group claims)
payload.merge!(user.parsed_custom_claims)
JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
end
@@ -93,50 +96,5 @@ class OidcJwtService
def key_id
@key_id ||= Digest::SHA256.hexdigest(public_key.to_pem)[0..15]
end
# Add role-based claims to the JWT payload
def add_role_claims!(payload, user, application)
user_roles = application.user_roles(user)
return if user_roles.empty?
role_names = user_roles.pluck(:name)
# Filter roles by prefix if configured
if application.role_prefix.present?
role_names = role_names.select { |role| role.start_with?(application.role_prefix) }
end
return if role_names.empty?
# Add roles using the configured claim name
claim_name = application.role_claim_name.presence || 'roles'
payload[claim_name] = role_names
# Add role permissions if configured
managed_permissions = application.parsed_managed_permissions
if managed_permissions['include_permissions'] == true
role_permissions = user_roles.map do |role|
{
name: role.name,
display_name: role.display_name,
permissions: role.permissions
}
end
payload['role_permissions'] = role_permissions
end
# Add role metadata if configured
if managed_permissions['include_metadata'] == true
role_metadata = user_roles.map do |role|
assignment = role.user_role_assignments.find_by(user: user)
{
name: role.name,
source: assignment&.source,
assigned_at: assignment&.created_at
}
end
payload['role_metadata'] = role_metadata
end
end
end
end