Fixed OIDC authentication for SCIM endpoints

Previously, the Coldfront SCIM endpoints could not perform OIDC authentication, preventing usage of the client credentials and device authorization flows. A authentication middleware which subclasses from the one provided by `django_scim` has been added, which will perform OIDC authentication given an access token in the "Authorization" HTTP request header. The SCIM endpoint is now available to Coldfront users with "staff" or "superuser" status. It will perform OIDC authentication if the `PLUGIN_AUTH_OIDC` env var is set to True.
nerc-project · Aug 16, 2024 · c54ac1b · c54ac1b
1 parent 2331171
commit c54ac1b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/src/coldfront_plugin_api/config.py b/src/coldfront_plugin_api/config.py
@@ -14,4 +14,5 @@
     "GROUP_ADAPTER": "coldfront_plugin_api.scim_v2.adapter_group.SCIMColdfrontGroup",
     "GROUP_FILTER_PARSER": "coldfront_plugin_api.scim_v2.filters.ColdfrontGroupFilterQuery",
     "GET_IS_AUTHENTICATED_PREDICATE": "coldfront_plugin_api.utils.is_user_superuser",
+    "AUTH_CHECK_MIDDLEWARE": "coldfront_plugin_api.scim_v2.auth_middleware.SCIMColdfrontAuthCheckMiddleware",
 }
diff --git a/src/coldfront_plugin_api/scim_v2/auth_middleware.py b/src/coldfront_plugin_api/scim_v2/auth_middleware.py
@@ -0,0 +1,17 @@
+import os
+import logging
+
+from django_scim.middleware import SCIMAuthCheckMiddleware
+from mozilla_django_oidc.contrib.drf import OIDCAuthentication
+
+logger = logging.getLogger(__name__)
+
+
+class SCIMColdfrontAuthCheckMiddleware(SCIMAuthCheckMiddleware):
+    def process_request(self, request):
+        if not request.user or not request.user.is_staff:
+            # PLUGIN_AUTH_OIDC implies DRF OIDC backend is configured
+            if os.getenv("PLUGIN_AUTH_OIDC") == "True":
+                oidc_auth_obj = OIDCAuthentication()
+                request.user = oidc_auth_obj.authenticate(request)
+            return super().process_request(request)
diff --git a/src/coldfront_plugin_api/utils.py b/src/coldfront_plugin_api/utils.py
@@ -59,7 +59,7 @@ def is_user_superuser(user: User):
     As a temporary hack, this function will handle raising the appropriate 403 error if
     user is authenticated, but not superuser
     """
-    if user.is_authenticated and not user.is_superuser:
+    if user.is_authenticated and not user.is_staff:
         raise PermissionDenied
     else:
         return user.is_authenticated