Skip to content

Addendum: Inbound indentity improvements

Jose edited this page Mar 7, 2019 · 2 revisions

Notes about attribute mapping:

  • I think it's more convenient if mapping takes place in node code. Pros: mapping logic easier to code, cust scripts would lose a bit of weight and overhead, the payload sent to cust script will contain only the necessary data, and also, the language (Javascript) lends itself well if we need to apply custom transformations to attributes (a complementary feature to attribute mapping).

  • Checking how data received by oauth providers is structured, I found lot of divergence so there is no way to abstract out a single common mapping for google, github, twitter, etc...

  • CRUD for reusable mapping profiles seems sophisticated and complex to implement. Originally the plan stated that mappings were editable in oxTrust, but to the best of our efforts, we won't get close to a richer dynamic mapping like:

	uid: profile.username || profile.id,
	mail: profile.emails[0].value,
	...

So my conclusion is to keep separate mappings in node code, similarly as the files in auth folder are doing it. In this sense there will only be 3 big jsons for config: general config, providers, and idp-initiated config.

When a external provider is added in oxTrust, we can offer a list of available mappings to choose from. Customers can also craft their own mappings by adding the mapping logic in a separate file which may look like this:

profile => {
	return {
		uid: profile.username || profile.id,
		mail: profile.emails[0].value,
		cn: profile.displayName,
		displayName: profile.displayName,
		givenName: profile.name.givenName,
		sn: profile.name.familyName
	}
}

It's merely a function taking the profile data the underlying passport strategy is releasing, and applies arbitrary transformations. The keys of the object (before the colons) are names of LDAP attributes. In this way we avoid all the unncessary intermediate mappings we are currently dealing with.

Our node code will execute these functions dynamically and will drop missing or null data to post to oxauth only actual data.