Assign roles based on Attribute values

[adamfranco]

This is dependent on attributes being loaded (Issue #5).

Rather than only assigning the static ROLE_USER to all users who can authenticate via CAS, I'd like to be able to assign configurable roles based on user-attribute values.

For example, imagine a school with guests, students, faculty, and administrators. One application should only be available to students and faculty, so a configuration like the following might be used:

p_rayno_cas_auth:
    server_login_url: https://server.example.edu/cas/
    ...
    attribute_role_mapping:
        ROLE_USER:
            attribute_key: 'Status'
            attribute_values: ['Student', 'Faculty']
        ROLE_ADMINISTRATOR:
            attribute_key: 'MemberOf'
            attribute_values: ['CN=AdministratorsGroup,OU=Groups,DC=example,DC=edu']

If no attribute_role_mapping was defined, the existing behavior of all users getting ROLE_USER would be maintained.

There are likely other ways of mapping attributes to roles, both inside the CasAuthBundle or outside it after successful authentication. Any feedback on preferred ways of approaching this would be welcome.

[PRayno]

I feel it's a bit too much to ask for this bundle which just aims at providing raw authentication.
As long as you start working with roles, I feel like it belongs to the main app itself.
The CasUserProvider in the bundle is just an example of how to start using CAS authentication.

However, the feature is quite interesting and I think the biggest deal is to send the extra infos from the CasAuthBundle to the custom provider you use.
I have to see what can be done.

[arderyp]

I don't completely disagree that role assignment should be handled by our apps instead of this bundle, but is that's the agreement, there must be some method of doing so.

If we wanted to inject roles based on our own app logic, how would we do that? It looks to me like this bundle will provide 'ROLE_USER' to all CAS authenticated users, and that's that. Is there some hook that I am missing that we can implement to perform our own role assignment logic?

EDIT: Or could we simply extend your CasUser.php and CasUserProvider.php classes, overriding the necessary methods with our own logic, then use our custom user provider in security>provider>cas>id in security.yml. Would that work?

[aelores]

I had the same issue. I needed to add the app logic ROLES.
First I added the custom roles handling in the bundle file (class) CasUserProvider.
But this is far from the best practices and I have to find another way...

So I'm trying to find another way to handle this.

I digged some alternatives and I think the best way to handle this case is to use an EventListener on the authentication success.

The second potential solution could be to override the CasUser->getRoles method ...

But I'm still digging !

Regards !