Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support for mapping remote user auth claims to user attributes #365

Open
wants to merge 2 commits into
base: stable
Choose a base branch
from

Conversation

rizlas
Copy link

@rizlas rizlas commented Jun 29, 2023

Hi,
this PR aim to close #208. Requested changes in #208 have been implemented. This will now support not only shibboleth but any remote user based authentication (e.g oidc) as long as claims are passed via http headers.

This settings represent the mapping between user field and http headers.
As stated in #208 it is also possible to define multiple headers that you can receive a value from (e.g. RealName).

Of course if WebRemoteUserAuth and WebRemoteUserAutocreate are disabled, RemoteUserHeaders will be ignored.

# See lib/RT/User.pm for RT possibile mapping fields
Set($RemoteUserHeaders,
    {
        'attributes_map' => {
            'Name'          => ['HTTP_USERNAME'],
            'EmailAddress'  => ['HTTP_MAIL'],
            'RealName'      => ['HTTP_DISPLAYNAME','HTTP_CN','HTTP_GIVENNAME'],
            'Gecos'         => ['HTTP_SURNAME'],
        }
    }
);

Apache example of setting environment variable is:

ProxyFCGISetEnvIf "true" HTTP_DISPLAYNAME "%{reqenv:OIDC_CLAIM_name}"

Thank you

@einar
Copy link

einar commented Jun 29, 2023

Hi @rizlas, nice to see someone using this. :) Just FYI I will be quite limited in helping out to get this merged as I have not touched any perl since 2017 and currently delve in infrastructure so I no longer have any access to any testing environment(s). Would be great if it could be merged though with your (or RT's) help as I still consider RT to be one of the best ticket-trackers there is and it's sad to keep this out of master/stable.

@rizlas
Copy link
Author

rizlas commented Jun 29, 2023

Hi, yeah it is really helpful for remote user based auth.
I've never written perl till today, I just tweaked your original PR 🤣

I didn't include the utf8 fix that I read in your dockerization (https://github.com/SUNET/docker-rt-swamid/blob/master/Web.pm.patch#L47). However, in the absence of an equivalent function, I believe that that should be added too.

@einar
Copy link

einar commented Jun 29, 2023

You do need it unless you expect only strict ascii-users (which never happens, there's always some random chars in names). :) Names will misbehave unless you keep the utf8-line.

@rizlas
Copy link
Author

rizlas commented Jun 29, 2023

(which never happens, there's always some random chars in names)

Yeah, that's why for me it should be included 😆 But maybe there is already a helper function that does utf8 conversion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants