Skip to content

Add OIDC scopes support #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zpevma wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OIDC scopes support #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Config/config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@
],
'roles_property' => {{ OIDC_ROLES_PROPERTY_INNER | str }},
'organisation_property' => {{ OIDC_ORGANISATION_PROPERTY | str }},
{% if OIDC_SCOPES %}
'scopes' => [{% for scope in OIDC_SCOPES %}'{{ scope }}'{% if not loop.last %}, {% endif %}{% endfor %}],
{% endif %}
'default_org' => '{{ OIDC_DEFAULT_ORG if OIDC_DEFAULT_ORG else MISP_ORG }}',
'unblock' => true,
'offline_access' => {{ OIDC_OFFLINE_ACCESS | bool }},
Expand Down
5 changes: 5 additions & 0 deletions bin/misp_create_configs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ def parse_oidc_roles(variable_name: str, value: str) -> dict:
return dict_parser(variable_name, value, seperator=',', variable_description="OIDC roles mapping variable")


def parse_oidc_scopes(variable_name: str, value: str) -> list:
return [scope.strip() for scope in value.split(',') if scope.strip()]


def parse_x_forwarded_headers(variable_name: str, value: str) -> list:
valid_values = ("X-Forwarded-Host", "X-Forwarded-Port", "X-Forwarded-Proto", "Forwarded")
headers = value.split(" ")
Expand Down Expand Up @@ -185,6 +189,7 @@ def parse_mysql_settings(variable_name: str, value: str) -> dict:
),
"OIDC_ROLES_PROPERTY_INNER": Option(),
"OIDC_ORGANISATION_PROPERTY": Option(default="organization"),
"OIDC_SCOPES": Option(parser=parse_oidc_scopes),
"OIDC_OFFLINE_ACCESS": Option(typ=bool, default=False),
"OIDC_CHECK_USER_VALIDITY": Option(typ=int, default=0, validation=check_uint),
"OIDC_UPDATE_USER_ROLE": Option(typ=bool, default=True),
Expand Down
1 change: 1 addition & 0 deletions docs/OIDC.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ OIDC authentication is not used. Instead, Apache checks if a key is valid and le
* `OIDC_ROLES_PROPERTY` (optional, string, default `roles`) - name of claim used for user roles in MISP
* `OIDC_ROLES_MAPPING` (optional, string, default see bellow) - roles mapping from roles provided by IdP to MISP roles
* `OIDC_ORGANISATION_PROPERTY` (optional, string, default `organization`) - ID token or user info claim that will be used as an organisation in MISP. This property should contain organisation ID, name or UUID.
* `OIDC_SCOPES` (optional, string) - comma-separated list of OIDC scopes to request (e.g., `profile,email`). Make sure to add your custom scope here if you set any in the identity provider.
* `OIDC_OFFLINE_ACCESS` (optional, boolean, default `false`) - if true, offline access token will be requested for user
* `OIDC_CHECK_USER_VALIDITY` (optional, int, default `0`) - number of seconds, after which user will be revalidated if he is still active in IdP. Zero means that this functionality is disabled. Recommended value is `300`.
* `OIDC_UPDATE_USER_ROLE` (optional, bool, default `true`) - if disabled, manually modified role in MISP admin interface will be not changed from roles defined in OIDC
Expand Down