letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Merge branch 'main' into quenting/upstream-oauth/better-conflict-options

Browse Source
This commit is contained in:
Quentin Gliech
2025-11-28 18:10:22 +01:00
committed by GitHub
parent 450b1fa24c ef563f33c6
commit 3e65ff54b7
4 changed files with 71 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/handlers/src/upstream_oauth2/link.rs
View File

@@ -456,7 +456,7 @@ pub(crate) async fn get(
}
// We do a bunch of checks for the localpart. Instead of using nested ifs all
// the way, we use a labelled block, and use `break` for 'exitting' early when
// the way, we use a labelled block, and use `break` for 'exiting' early when
// needed
let localpart = 'localpart: {
if provider.claims_imports.localpart.ignore() {
@@ -942,7 +942,7 @@ pub(crate) async fn post(
if let Some(ref display_name) = display_name {
ctx = ctx.with_display_name(
display_name.clone(),
provider.claims_imports.email.is_forced_or_required(),
provider.claims_imports.displayname.is_forced_or_required(),
);
}

3
docs/reference/cli/manage.md
View File

@@ -78,7 +78,8 @@ Create a new user registration token.
Options:
- `--token <token>`: Specific token string to use. If not provided, a random token will be generated.
- `--usage-limit <usage_limit>`: Limit the number of times the token can be used. If not provided, the token can be used an unlimited number of times.
- `--usage-limit <usage_limit>`: Limit the number of times the token can be used. If not provided, the token can be can be used only once, unless the `--unlimited` flag is set.
- `--unlimited` Allow the token to be used an unlimited number of times.
- `--expires-in <expires_in>`: Time in seconds after which the token expires. If not provided, the token never expires.
```

9
docs/reference/configuration.md
View File

@@ -796,15 +796,6 @@ upstream_oauth2:
#action: suggest
#template: "{{ user.email }}"
# Whether the email address must be marked as verified.
# Possible values are:
# - `import`: mark the email address as verified if the upstream provider
# has marked it as verified, using the `email_verified` claim.
# This is the default.
# - `always`: mark the email address as verified
# - `never`: mark the email address as not verified
#set_email_verification: import
# An account name, for display purposes only
# This helps end user identify what account they are using
account_name:

72
docs/setup/sso.md
View File

@@ -218,7 +218,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```
@@ -255,7 +254,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```
@@ -296,7 +294,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
account_name:
template: "{{ user.name }}"
```
@@ -467,7 +464,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
```
@@ -504,7 +500,6 @@ upstream_oauth2:
email:
action: suggest
template: "{{ user.email }}"
set_email_verification: always
account_name:
template: "{{ user.preferred_username }}"
```
@@ -606,3 +601,70 @@ To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/wo
"id_token_signed_response_alg": "RS256"
}
```
### Shibboleth
[Shibboleth](https://www.shibboleth.net/) is an open-source identity management system commonly used by universities and research institutions.
It is primarily based on SAML but also supports OIDC via the [OIDC OP Plugin](https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP).
These instructions assume you have a running Shibboleth instance with the OIDC plugin configured.
Register MAS as a relying party in Shibboleth:
1. Add a metadata file (e.g. `mas-metadata.xml`) to `%{idp.home}/metadata/` with the following content:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="<client-id>">
<Extensions>
<oidcmd:ClientInformation>
<oidcmd:ClientSecret><client-secret></oidcmd:ClientSecret>
</oidcmd:ClientInformation>
</Extensions>
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<oidcmd:OIDCClientInformation scopes="openid profile email"
token_endpoint_auth_method="client_secret_basic">
<oidcmd:GrantType>authorization_code</oidcmd:GrantType>
<oidcmd:ResponseType>code</oidcmd:ResponseType>
</oidcmd:OIDCClientInformation>
</Extensions>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<auth-service-domain>/upstream/callback/<id>"
index="1"/>
</SPSSODescriptor>
</EntityDescriptor>
```
Replace `<client-id>`, `<client-secret>`, `<auth-service-domain>`, and `<id>` with your values.
2. Reference the metadata file in `%{idp.home}/conf/metadata-providers.xml` and reload services.
Authentication service configuration:
```yaml
upstream_oauth2:
providers:
- id: 01JB6YS8N7Q2ZM9CPXW6V0KGRT
human_name: Shibboleth
issuer: "https://<shibboleth-domain>/" # TO BE FILLED
client_id: "<client-id>" # TO BE FILLED
client_secret: "<client-secret>" # TO BE FILLED
token_endpoint_auth_method: client_secret_basic
scope: "openid profile email"
discovery_mode: insecure
fetch_userinfo: true
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
```