openid memberOf for mod_auth_oidc

By: Jeff E Mandel user 28 Nov 2017 at 9:08 p.m. CST

5 Responses
Jeff E Mandel gravatar
I'm trying to secure several applications on a single server with mod_auth_oidc based on group membership. I added memberOf as a scope for openid, and convinced mod_auth_oidc to put it into the header. I have a user how is a memberOf a single group. What I get is this: ``` USERINFO_memberOf: inum=@!7607.49E8.BA18.0F11!0001!497A.634B!0003!7687.FC85,ou=groups,o=@!7607.49E8.BA18.0F11!0001!497A.634B,o=gluu ``` Which is identical to what I see in the memberOf field of the Manage Users entry for that user. I suppose I can look for !0003!7687.FC85 as a substring to match in the Require claim, but is there a way to translate the inum to the group name?
Ubuntu 16.04
closed

Answers

By Michael Schwartz Account Admin 28 Nov 2017 at 9:16 p.m. CST

Copy
Michael Schwartz gravatar
The memberOf attribute references the DN of the group. I'd suggest using an attribute of the user, like role, rather then memberOf. Also remember that the Gluu Server is usually a consumer of identity. There needs to be some IDM process that keeps the Gluu Sever properly fed with user data. Or you can use the built in cache refresh process to synchronize and external LDAP server (and then use the cache refresh interception script to transform attribute values--i.e. perhaps re-write the DN of the group to something more meaningful.)

By Jeff E Mandel user 28 Nov 2017 at 9:59 p.m. CST

Copy
Jeff E Mandel gravatar
I thought some more about it. I'm trying to understand what the purpose of a Group is. It seems to me that it would be nice if being a member of a Group was a necessary condition for authenticating to an openid client. Am I missing something? Thanks

By Michael Schwartz Account Admin 28 Nov 2017 at 10:36 p.m. CST

Copy
Michael Schwartz gravatar
Some people love groups. It's vestigial.

By Jeff E Mandel user 29 Nov 2017 at 7:38 a.m. CST

Copy
Jeff E Mandel gravatar
OK. More to the point - is there an attribute that can be associated with a user that is required for accessing an openid client? I figured out how to add a role (permission) to my user profile and get it into the header, but this only gets enforced at the mod_auth_oidc level. I'm willing to do this for now (I'm trying to launch a clinical trial that will be restricted to a small number of users for a single app), but (hopefully) I will be scaling up to more users and more apps. Thanks

By Michael Schwartz Account Admin 29 Nov 2017 at 10:54 a.m. CST

Copy
Michael Schwartz gravatar
IMHO, that's what UMA access tokens are for. I'd be happy to have a quick chat with you about it if you want to schedule at [http://gluu.org/booking](http://gluu.org/booking)

Post an answer