feat: Add ability to ignore roles when logging in with SSO (#534)

Closes #533
plankanban · Oct 25, 2023 · d4b64b9 · d4b64b9
1 parent 1a49826
commit d4b64b9
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 0 deletions.
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -45,6 +45,7 @@ services:
       # - OIDC_SCOPES=openid email profile
       # - OIDC_ADMIN_ROLES=admin
       # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
     depends_on:
       - postgres
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -45,6 +45,7 @@ services:
       # - OIDC_SCOPES=openid email profile
       # - OIDC_ADMIN_ROLES=admin
       # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
     depends_on:
       - postgres
 

diff --git a/server/.env.sample b/server/.env.sample
@@ -28,6 +28,7 @@ SECRET_KEY=notsecretkey
 # OIDC_SCOPES=openid email profile
 # OIDC_ADMIN_ROLES=admin
 # OIDC_ROLES_ATTRIBUTE=groups
+# OIDC_IGNORE_ROLES=true
 
 ## Do not edit this
 

diff --git a/server/api/helpers/users/get-or-create-one-using-oidc.js b/server/api/helpers/users/get-or-create-one-using-oidc.js
@@ -92,6 +92,11 @@ module.exports = {
 
     const updateFieldKeys = ['email', 'isAdmin', 'isSso', 'name', 'username'];
 
+    if (sails.config.custom.oidcIgnoreRoles) {
+      // Remove isAdmin from updateFieldKeys
+      updateFieldKeys.splice(updateFieldKeys.indexOf('isAdmin'), 1);
+    }
+
     const updateValues = {};
     // eslint-disable-next-line no-restricted-syntax
     for (const k of updateFieldKeys) {

diff --git a/server/config/custom.js b/server/config/custom.js
@@ -39,6 +39,7 @@ module.exports.custom = {
   oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
   oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
   oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
+  oidcIgnoreRoles : process.env.OIDC_IGNORE_ROLES || false,
 
   // TODO: move client base url to environment variable?
   oidcRedirectUri: `${