Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Username Remapping & Uppercase Group Names Support in OAuth2 Authentication Filter #410

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Username Remapping & Uppercase Group Names Support in OAuth2 Authentication Filter #410

wants to merge 1 commit into from

Conversation

afabiani
Copy link
Member

This pull request introduces two new features and some refactoring improvements in the OAuth2 authentication filter:

New Features

  1. Username Remapping from idToken Claims:

    • The filter now decodes the idToken only once using a helper (JWTHelper).
    • If the configuration provides non-blank values for both principalKey and uniqueUsername, and the incoming username (from the principal claim) matches the expected value, it is remapped to the value found in the unique username claim.
    • This ensures that the system always works with a consistent unique identifier for user lookup and creation.

  2. Enforce Uppercase Group Names:

    • A new configuration parameter groupNamesUppercase has been added.
    • When enabled, groups retrieved from token claims (via the groupsClaim configuration) are normalized to uppercase during lookup and creation.
    • This change avoids mismatches due to case sensitivity, ensuring that users are assigned to the correct groups regardless of the token’s letter case.

Changes in Code and Tests

  1. Refactoring:
    The code has been refactored so that idToken decoding/validation is done only once, and the result is reused for username remapping.

  2. Updated addAuthoritiesFromToken:
    This method now checks the configuration for groupNamesUppercase and uses uppercase for group lookup/insertion if enabled. Users are correctly assigned to these groups.

  3. Unit Tests:

    • Existing tests for auto-creation and attribute mapping remain unchanged.
    • A new test (testUsernameRemapping()) validates that the incoming username is replaced by the unique claim value.
    • Another test (testGroupNamesUppercaseAndUserGroupAssignment()) verifies that groups are looked up/created in uppercase and that the user is correctly assigned to these groups.

Documentation
New configuration parameters have been introduced and should be documented in our developer guide or configuration reference:

  • principalKey:
    The name of the claim in the idToken that represents the principal (original username).

  • uniqueUsername:
    The name of the claim in the idToken that contains the unique username. If the incoming username matches the value from principalKey, it will be replaced with this unique username.

  • groupNamesUppercase:
    A boolean flag that, when enabled, forces the filter to convert group names from token claims to uppercase before lookup or creation. This parameter helps maintain consistency in group names and prevents issues related to case sensitivity.

Please review the changes and tests, and let me know if further modifications are needed.

@afabiani
- Introducing the uniqueUsername configuraion parameter in order to …
e00bf46 
…allow specifying which clam to be used from the JWT token as username value

 - Introducing the groupNamesUppercase configuraion parameter  in order to force the insertion of roles/groups claims from the JWT token uppercase
@afabiani afabiani requested review from tdipisa and MV88 February 12, 2025 15:36
@afabiani afabiani self-assigned this Feb 12, 2025
@MV88 MV88 removed their request for review February 13, 2025 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdipisa tdipisa Awaiting requested review from tdipisa

Assignees

@afabiani afabiani

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@afabiani