Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to authorize user using username OR sub claim instead of email address #413

Closed
cpatel-secureauth opened this issue Aug 19, 2021 · 8 comments
Labels

Comments

@cpatel-secureauth
Copy link
Contributor

cpatel-secureauth commented Aug 19, 2021

I have tested authentication successfully as Email which is within a Vouch Proxy managed domain.

To avoid below error , I was looking for something which I can authorize user using Username OR Sub claim.

{"level":"warn","ts":1629395919.9066803,"msg":"/auth User is not authorized: verifyUser: Email is not within a Vouch Proxy managed domain

Is it possible?

@bnfinet
Copy link
Member

bnfinet commented Aug 20, 2021

@cpatel-secureauth that level of access control is not currently natively supported in Vouch Proxy.

There are some examples in #107 and other issues in the repository which show how to do it on the Nginx side with openresty.

@bnfinet
Copy link
Member

bnfinet commented Aug 20, 2021

@cpatel-secureauth feel free to continue the conversation here. If it becomes evident there's more to discuss I'm happy to reopen the issue.

@bnfinet
Copy link
Member

bnfinet commented Aug 20, 2021

#175 is a very similar request

@cpatel-secureauth
Copy link
Contributor Author

I have figured out the way to authorize user using sub claim instead of email and its required to change code in openid provider.
If I create new provider called SecureAuth, can I use it like below in config.yml?

oauth:
provider: secureauth

@bnfinet
Copy link
Member

bnfinet commented Aug 25, 2021

@cpatel-secureauth have you seen #367 and #310. That's also sub focused.

Could you test #367 and see if that works for you?

@cpatel-secureauth
Copy link
Contributor Author

I have created new provider called "secureauth" and tested sub focused authorization.
I'll create new pull request for new provider called "secureauth"

@bnfinet
Copy link
Member

bnfinet commented Aug 27, 2021

@cpatel-secureauth of course I understand why you'd like to have a new provider for secureauth but I'm hopeful that #367 might be a viable solution and allow secureauth to work within the bounds of provider: oidc.

Did you look at #367? What did you think?

Thanks again to you and SecureAuth for you interest in Vouch Proxy.

@cpatel-secureauth
Copy link
Contributor Author

cpatel-secureauth commented Sep 1, 2021

@bnfinet It is working as expected. I didn't see #367 before and I am glad that I was able to figure out my self.
Yes I have checked #367 and same thing I was trying in structs.go by define Username as Sub claim as per below.

// PrepareUserData implement PersonalData interface
func (u *User) PrepareUserData() {
if u.Username == "" {
u.Username = u.Sub
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants