Skip to content

Commit

Permalink
feat: protocol mappers (#621)
Browse files Browse the repository at this point in the history 
## Description
This is just here to demonstrate POC of protocol mappers to kick off
discussion. At this point no intention to merge.

## Related Issue

Relates to #305

---------

Co-authored-by: Chance <[email protected]>
Co-authored-by: UnicornChance <[email protected]>
Co-authored-by: Rob Ferguson <[email protected]>
  • Loading branch information
@ericwyles @UnicornChance @rjferguson21
4 people authored Sep 3, 2024
1 parent 0705ba6 commit d71cb44
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 6 deletions.
19 changes: 18 additions & 1 deletion docs/configuration/uds-operator.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package C
- **SSO Group Authentication:**
- Group authentication determines who can access the application based on keycloak group membership.
- At this time `anyOf` allows defining a list of groups, a user must belong to at least one of them.
- Custom client `protocolMapper`'s that will be created alongside the client and added to the client's dedicated scope.
- **Authservice Protection:**
- Authservice authentication provides application agnostic SSO for applications that opt-in.
{{% alert-caution %}}
Expand Down Expand Up @@ -61,7 +62,7 @@ spec:
port: 9411
description: "Tempo"

# SSO allows for the creation of Keycloak clients and with automatic secret generation
# SSO allows for the creation of Keycloak clients and with automatic secret generation and protocolMappers
sso:
- name: Grafana Dashboard
clientId: uds-core-admin-grafana
Expand All @@ -70,6 +71,22 @@ spec:
groups:
anyOf:
- /UDS Core/Admin
# Define protocolMappers to be created as dedicated scopes for the client
protocolMappers:
- name: username
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
config:
user.attribute: "username"
claim.name: "username"
userinfo.token.claim: "true"
- name: email
protocol: "openid-connect"
protocolMapper: "oidc-usermodel-property-mapper"
config:
user.attribute: "email"
claim.name: "email"
userinfo.token.claim: "true"
```
### Example UDS Package CR with SSO Templating
Expand Down
4 changes: 4 additions & 0 deletions src/pepr/operator/controllers/keycloak/types.ts
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import { ProtocolMapper } from "../../crd/generated/package-v1alpha1";

export interface Client {
alwaysDisplayInConsole: boolean;
attributes: Record<string, string>;
Expand All @@ -17,6 +19,7 @@ export interface Client {
notBefore: number;
optionalClientScopes: string[];
protocol: string;
protocolMappers?: ProtocolMapper[];
publicClient: boolean;
redirectUris: string[];
registrationAccessToken?: string;
Expand Down Expand Up @@ -48,6 +51,7 @@ export const clientKeys = [
"notBefore",
"optionalClientScopes",
"protocol",
"protocolMappers",
"publicClient",
"redirectUris",
"registrationAccessToken",
Expand Down
35 changes: 32 additions & 3 deletions src/pepr/operator/crd/generated/package-v1alpha1.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,7 @@ export interface Sso {
*/
enabled?: boolean;
/**
* The client sso group type
* The client SSO group type
*/
groups?: Groups;
/**
Expand All @@ -549,6 +549,10 @@ export interface Sso {
* Specifies the protocol of the client, either 'openid-connect' or 'saml'
*/
protocol?: Protocol;
/**
* Protocol Mappers to configure on the client
*/
protocolMappers?: ProtocolMapper[];
/**
* Defines whether the client requires a client secret for authentication
*/
Expand Down Expand Up @@ -594,23 +598,48 @@ export enum ClientAuthenticatorType {
}

/**
* The client sso group type
* The client SSO group type
*/
export interface Groups {
/**
* List of groups allowed to access to client
* List of groups allowed to access the client
*/
anyOf?: string[];
}

/**
* Specifies the protocol of the client, either 'openid-connect' or 'saml'
*
* Protocol of the mapper
*/
export enum Protocol {
OpenidConnect = "openid-connect",
Saml = "saml",
}

export interface ProtocolMapper {
/**
* Configuration options for the mapper.
*/
config?: { [key: string]: string };
/**
* Whether user consent is required for this mapper
*/
consentRequired?: boolean;
/**
* Name of the mapper
*/
name: string;
/**
* Protocol of the mapper
*/
protocol: Protocol;
/**
* Protocol Mapper type of the mapper
*/
protocolMapper: string;
}

export interface Status {
authserviceClients?: string[];
endpoints?: string[];
Expand Down
40 changes: 38 additions & 2 deletions src/pepr/operator/crd/sources/package/v1alpha1.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,42 @@ const sso = {
type: "string",
},
},
protocolMappers: {
description: "Protocol Mappers to configure on the client",
type: "array",
default: [],
items: {
type: "object",
required: ["name", "protocol", "protocolMapper"],
properties: {
name: {
description: "Name of the mapper",
type: "string",
},
protocol: {
description: "Protocol of the mapper",
type: "string",
enum: ["openid-connect", "saml"],
},
protocolMapper: {
description: "Protocol Mapper type of the mapper",
type: "string",
},
consentRequired: {
description: "Whether user consent is required for this mapper",
type: "boolean",
default: false,
},
config: {
description: "Configuration options for the mapper.",
type: "object",
additionalProperties: {
type: "string",
},
},
},
},
},
rootUrl: {
description: "Root URL appended to relative URLs",
type: "string",
Expand Down Expand Up @@ -359,11 +395,11 @@ const sso = {
},
},
groups: {
description: "The client sso group type",
description: "The client SSO group type",
type: "object",
properties: {
anyOf: {
description: "List of groups allowed to access to client",
description: "List of groups allowed to access the client",
type: "array",
items: {
type: "string",
Expand Down

0 comments on commit d71cb44

Please sign in to comment.