Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto add user to correct organization based on JWT token #1286

Open
pimmerks opened this issue Sep 11, 2024 · 1 comment
Open

Auto add user to correct organization based on JWT token #1286

pimmerks opened this issue Sep 11, 2024 · 1 comment
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed

Comments

@pimmerks
Copy link

Feature description 💡

Hi, we would like to have an option available to automatically add users to the correct Organization based on the ID/JWT token that the user is authenticated with.

This feature can have different use-cases:

  • In an organization where each 'team' has it's own 'Terrakube organization', and teams are managed by the Identity Provider
  • Allowing access to Terrakube in a B2B scenario.

The general flow would be:

  1. User logs in
    The IDP adds a specific claim to the JWT token, for example organization
  2. Terrakube checks JWT token ({..., "organization": "org-a", ...})
  3. Terrakube checks if org-a exists
  4. Terrakube adds user to org-a

We could possible also create the organization if it does not exists yet.

This behaviour should be configurable in the settings.

# Settings example:
createOrganizationOnLogin: true/false
addUserToOrganizationOnLogin: true/false
organizationNameClaim: "organization"

I am able to help with creating a PR if you see value in this feature.

Anything else?

No response
@pimmerks pimmerks added the enhancement New feature or request label Sep 11, 2024
@alfespa17
Copy link
Member

This sounds like an interesting idea, feel free to send a pull request with this feature and just keep in mind to leave some option to enable or disable it.

I guess you can add some logic similar to the one that we use to validate if a PAT token is deleted in this part of the code

terrakube/api/src/main/java/org/terrakube/api/plugin/security/authentication/dex/DexAuthenticationManagerResolver.java

Line 51 in 9b45945

if (isTokenDeleted(getTokenId(request))){

And you can parse the token similar to this.

terrakube/api/src/main/java/org/terrakube/api/plugin/security/authentication/dex/DexAuthenticationManagerResolver.java

Line 92 in 9b45945

private String getTokenId(HttpServletRequest request) {

Or you can also parse it like this.

terrakube/registry/src/main/java/org/terrakube/registry/configuration/authentication/dex/RegistryAuthenticationManagerResolver.java

Line 57 in 9b45945

private String getJwtIssuer(HttpServletRequest request) {

@alfespa17 alfespa17 added help wanted Extra attention is needed good first issue Good for newcomers labels Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alfespa17 @pimmerks