Re: [dspace-tech] Re: OCID Authentication and groups
On Wed, Mar 22, 2023 at 06:57:18PM -0700, Gabriela wrote: > I tried to to assign a fixed set of groups to *all* OIDC-authenticated > sessions. A few minutes of work, became hours, and I am going around in > circles. Any guidance would be very much appreciated. I don't have any way to test this, but it compiles: diff --git a/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java b/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java index 8a4ac190c8..53d47fac05 100644 --- a/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java +++ b/dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java @@ -16,6 +16,8 @@ import static org.apache.commons.lang3.StringUtils.isBlank; import java.io.UnsupportedEncodingException; import java.sql.SQLException; +import java.util.ArrayList; +import java.util.Collections; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -23,13 +25,16 @@ import java.util.Map.Entry; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.StringUtils; import org.dspace.authenticate.oidc.OidcClient; import org.dspace.authenticate.oidc.model.OidcTokenResponseDTO; import org.dspace.core.Context; +import org.dspace.core.LogHelper; import org.dspace.eperson.EPerson; import org.dspace.eperson.Group; import org.dspace.eperson.service.EPersonService; +import org.dspace.eperson.service.GroupService; import org.dspace.services.ConfigurationService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -64,6 +69,9 @@ public class OidcAuthenticationBean implements AuthenticationMethod { @Autowired private EPersonService ePersonService; +@Autowired +private GroupService groupService; + @Override public boolean allowSetPassword(Context context, HttpServletRequest request, String username) throws SQLException { return false; @@ -84,8 +92,36 @@ public class OidcAuthenticationBean implements AuthenticationMethod { } @Override -public List getSpecialGroups(Context context, HttpServletRequest request) throws SQLException { -return List.of(); +public List getSpecialGroups(Context context, HttpServletRequest request) +throws SQLException { +if (request == null) { +return Collections.EMPTY_LIST; +} + +List groups = new ArrayList<>(); +StringBuilder groupIDs = new StringBuilder(); +for (String name : configurationService.getArrayProperty( +"authentication-oidc.login.specialgroup", +ArrayUtils.EMPTY_STRING_ARRAY)) { +Group group = groupService.findByName(context, name); +if (null != group) { +groups.add(group); +if (groupIDs.length() > 0) { +groupIDs.append(", "); +} +groupIDs.append(group.getID()); +} else { +LOGGER.warn(LogHelper.getHeader(context, "authenticated", +"Unknown special group {} not granted"), name); +} +} + +if (groupIDs.length() > 0) { +LOGGER.debug(LogHelper.getHeader(context, "authenticated", +"special_groups={}"), groupIDs.toString()); +} + +return groups; } @Override diff --git a/dspace/config/modules/authentication-oidc.cfg b/dspace/config/modules/authentication-oidc.cfg index bbb8489a77..4349df87f2 100644 --- a/dspace/config/modules/authentication-oidc.cfg +++ b/dspace/config/modules/authentication-oidc.cfg @@ -45,4 +45,8 @@ authentication-oidc.user-info.email = email authentication-oidc.user-info.first-name = given_name #Specify the attribute present in the user info json related to the user's last name -authentication-oidc.user-info.last-name = family_name \ No newline at end of file +authentication-oidc.user-info.last-name = family_name + +# Any session which is authenticated using OIDC will be granted membership in +# these groups. +#authentication-oidc.login.specialgroup = groupname -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ZBxVYbuB0YVJYtCA%40IUPUI.Edu. signature.asc Description: PGP signature
Re: [dspace-tech] Re: OCID Authentication and groups
Hello Mark, I tried to to assign a fixed set of groups to *all* OIDC-authenticated sessions. A few minutes of work, became hours, and I am going around in circles. Any guidance would be very much appreciated. Best, G On Tuesday, March 21, 2023 at 9:18:34 AM UTC-6 Gabriela wrote: > Thank you Mark. This is very informative. > > I would like to assign a fixed set of groups to *all* OIDC-authenticated > sessions. > > Best, > G > > On Tuesday, March 21, 2023 at 8:26:47 AM UTC-6 Mark H. Wood wrote: > >> On Tue, Mar 21, 2023 at 10:08:13AM -0400, Mark H. Wood wrote: >> > On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote: >> > > Am I missing something or there is no way to automatically add new >> users >> > > (created with OIDC Authentication) to a group ? >> >> I feel a need to address a common misconception. No part of DSpace >> adds new users to a group. DSpace optionally adds groups to a new >> *session* when the user uses a particular authentication method >> configured to do so. The user's recorded membership is unaltered, and >> you won't ever find those group memberships in the >> 'epersongroup2eperson' table. >> >> I should also ask you how you want the group assignment to work. Do >> you want to use OIDC-mediated user roles to control which groups are >> assigned to a session, or do you want to assign a fixed set of groups >> to *all* OIDC-authenticated sessions? The latter should be a few >> minutes' work; the former requires a bit more. >> >> -- >> Mark H. Wood >> Lead Technology Analyst >> >> University Library >> Indiana University - Purdue University Indianapolis >> 755 W. Michigan Street >> Indianapolis, IN 46202 >> 317-274-0749 <(317)%20274-0749> >> www.ulib.iupui.edu >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/419c004b-b74e-42fc-971b-45d3c70191d9n%40googlegroups.com.
Re: [dspace-tech] Re: OCID Authentication and groups
Thank you Mark. This is very informative. I would like to assign a fixed set of groups to *all* OIDC-authenticated sessions. Best, G On Tuesday, March 21, 2023 at 8:26:47 AM UTC-6 Mark H. Wood wrote: > On Tue, Mar 21, 2023 at 10:08:13AM -0400, Mark H. Wood wrote: > > On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote: > > > Am I missing something or there is no way to automatically add new > users > > > (created with OIDC Authentication) to a group ? > > I feel a need to address a common misconception. No part of DSpace > adds new users to a group. DSpace optionally adds groups to a new > *session* when the user uses a particular authentication method > configured to do so. The user's recorded membership is unaltered, and > you won't ever find those group memberships in the > 'epersongroup2eperson' table. > > I should also ask you how you want the group assignment to work. Do > you want to use OIDC-mediated user roles to control which groups are > assigned to a session, or do you want to assign a fixed set of groups > to *all* OIDC-authenticated sessions? The latter should be a few > minutes' work; the former requires a bit more. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 <(317)%20274-0749> > www.ulib.iupui.edu > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/2fe79208-3d1f-4714-8190-8d3d0dabcec7n%40googlegroups.com.
Re: [dspace-tech] Re: OCID Authentication and groups
On Tue, Mar 21, 2023 at 10:08:13AM -0400, Mark H. Wood wrote: > On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote: > > Am I missing something or there is no way to automatically add new users > > (created with OIDC Authentication) to a group ? I feel a need to address a common misconception. No part of DSpace adds new users to a group. DSpace optionally adds groups to a new *session* when the user uses a particular authentication method configured to do so. The user's recorded membership is unaltered, and you won't ever find those group memberships in the 'epersongroup2eperson' table. I should also ask you how you want the group assignment to work. Do you want to use OIDC-mediated user roles to control which groups are assigned to a session, or do you want to assign a fixed set of groups to *all* OIDC-authenticated sessions? The latter should be a few minutes' work; the former requires a bit more. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ZBm%2BoxYdXzJHD0o/%40IUPUI.Edu. signature.asc Description: PGP signature
Re: [dspace-tech] Re: OCID Authentication and groups
On Mon, Mar 20, 2023 at 09:27:49PM -0700, Gabriela wrote: > Am I missing something or there is no way to automatically add new users > (created with OIDC Authentication) to a group ? It seems that you are not missing anything: the OIDC authenticator code always returns an empty list of "special groups." It should be a very small matter to implement a simple static list of special groups, but no one has done so. See also: https://github.com/DSpace/DSpace/issues/8406 https://github.com/DSpace/DSpace/issues/8405 concerning the more complex problem of mapping OIDC roles to DSpace groups. > On Monday, March 20, 2023 at 3:10:07 PM UTC-6 Gabriela wrote: > > > Hello, > > > > We successfully enabled the OIDC Authentication but I do not see a way to > > automatically assign new accounts created with OIDC Authentication to a > > group. > > > > Gabriela > > > > > > -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/0577ce8e-0188-4eea-ac0b-95abdb83c444n%40googlegroups.com. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/ZBm6TWDwBc9Rs1xQ%40IUPUI.Edu. signature.asc Description: PGP signature
[dspace-tech] Re: OCID Authentication and groups
Am I missing something or there is no way to automatically add new users (created with OIDC Authentication) to a group ? Thank you G On Monday, March 20, 2023 at 3:10:07 PM UTC-6 Gabriela wrote: > Hello, > > We successfully enabled the OIDC Authentication but I do not see a way to > automatically assign new accounts created with OIDC Authentication to a > group. > > Gabriela > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/0577ce8e-0188-4eea-ac0b-95abdb83c444n%40googlegroups.com.