From 290f02ce66dc07cb82076d1d8f89ffce320a2100 Mon Sep 17 00:00:00 2001 From: Lorenzo Natali Date: Tue, 9 Jul 2024 18:33:12 +0200 Subject: [PATCH 1/5] Improved doc for OIDC --- .../integrations/users/openId.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/developer-guide/integrations/users/openId.md b/docs/developer-guide/integrations/users/openId.md index 7775d1dba3..eebd588ff8 100644 --- a/docs/developer-guide/integrations/users/openId.md +++ b/docs/developer-guide/integrations/users/openId.md @@ -92,6 +92,8 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore - `oidcOAuth2Config.rolesClaim`: (*optional*) the role claims. If a claim contains roles, you can map them to MapStore roles. The roles can be only `ADMIN` or `USER`. If the claim is not present, the default role will be `USER`. - `oidcOAuth2Config.groupsClaim`: (*optional*) the group claims. If a claim contains groups, you can map them to MapStore groups. If the claim is not present, no group will be assigned (except the default `everyone` group). - `oidcOAuth2Config.globalLogoutEnabled`: (*optional*): if true (and the server supports it) invokes global logout on MapStore logout +- `keycloakOAuth2Config.roleMappings`: comma separated list of mappings with the following format ``keycloak_admin_role:ADMIN,keycloak_user_role:USER``. These mappings will be used to map Keycloak roles to MapStore roles. Allowed values `USER` or `ADMIN`. +- `keycloakOAuth2Config.groupMappings`: comma separated list of mappings with the following format ``keycloak_role_name:mapstore_group_name,keycloak_role_name2:mapstore_group_name2``. These mappings will be used to map Keycloak roles to MapStore groups. !!! note The `rolesClaim` and `groupsClaim` are optional. If you don't need to map roles or groups, you can omit them. At the moment, there is no mapping for roles and groups for the generic OIDC provider. If you need to map roles and groups, you can use the `keycloak` provider. @@ -176,6 +178,22 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore } ``` +With Microsoft Azure you can configure the `rolesClaim` and `groupsClaim` to map the roles and groups to MapStore roles and groups. For example, if you have a claim `wids` that contains the groups, you can map them to MapStore roles and groups. +Here an example of the configuration: + +```properties +# Optional role claims, if a claim contains roles, you can map them to MapStore roles. (roles can be only ADMIN or USER) +oidcOAuth2Config.rolesClaim=wids +# Optional group claims, if a claim contains groups, you can map them to MapStore groups. +oidcOAuth2Config.groupsClaim=wids +# group mappings (comma separated list of mappings with the following format `group_claim_value_1:mapstore_group_name,group_claim_value_2:mapstore_group_name2`) +oidcOAuth2Config.groupMappings=00000002-0000-0000-c000-000000000000:MY_MAPSTORE_GROUP,00000003-0000-0000-c000-000000000000:MY_MAPSTORE_GROUP2 +# role mappings (comma separated list of mappings with the following format `role_claim_value_1:ADMIN,role_claim_value_2:USER`) +oidcOAuth2Config.roleMappings=00000002-0000-0000-c000-000000000000:ADMIN +# Default role, when no mapping has matched +oidcOAuth2Config.dropUnmapped=true +``` + ### Google The Google OpenID Connect provider allows to use Google as an authentication provider. This is useful when you want to use Google as an authentication provider for your application. From 02d564eb3881c4b0cb37f403e578dde54a5acedf Mon Sep 17 00:00:00 2001 From: Lorenzo Natali Date: Thu, 11 Jul 2024 16:57:02 +0200 Subject: [PATCH 2/5] Apply suggestions from code review --- docs/developer-guide/integrations/users/openId.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/developer-guide/integrations/users/openId.md b/docs/developer-guide/integrations/users/openId.md index eebd588ff8..cb6294892f 100644 --- a/docs/developer-guide/integrations/users/openId.md +++ b/docs/developer-guide/integrations/users/openId.md @@ -92,8 +92,6 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore - `oidcOAuth2Config.rolesClaim`: (*optional*) the role claims. If a claim contains roles, you can map them to MapStore roles. The roles can be only `ADMIN` or `USER`. If the claim is not present, the default role will be `USER`. - `oidcOAuth2Config.groupsClaim`: (*optional*) the group claims. If a claim contains groups, you can map them to MapStore groups. If the claim is not present, no group will be assigned (except the default `everyone` group). - `oidcOAuth2Config.globalLogoutEnabled`: (*optional*): if true (and the server supports it) invokes global logout on MapStore logout -- `keycloakOAuth2Config.roleMappings`: comma separated list of mappings with the following format ``keycloak_admin_role:ADMIN,keycloak_user_role:USER``. These mappings will be used to map Keycloak roles to MapStore roles. Allowed values `USER` or `ADMIN`. -- `keycloakOAuth2Config.groupMappings`: comma separated list of mappings with the following format ``keycloak_role_name:mapstore_group_name,keycloak_role_name2:mapstore_group_name2``. These mappings will be used to map Keycloak roles to MapStore groups. !!! note The `rolesClaim` and `groupsClaim` are optional. If you don't need to map roles or groups, you can omit them. At the moment, there is no mapping for roles and groups for the generic OIDC provider. If you need to map roles and groups, you can use the `keycloak` provider. @@ -186,12 +184,6 @@ Here an example of the configuration: oidcOAuth2Config.rolesClaim=wids # Optional group claims, if a claim contains groups, you can map them to MapStore groups. oidcOAuth2Config.groupsClaim=wids -# group mappings (comma separated list of mappings with the following format `group_claim_value_1:mapstore_group_name,group_claim_value_2:mapstore_group_name2`) -oidcOAuth2Config.groupMappings=00000002-0000-0000-c000-000000000000:MY_MAPSTORE_GROUP,00000003-0000-0000-c000-000000000000:MY_MAPSTORE_GROUP2 -# role mappings (comma separated list of mappings with the following format `role_claim_value_1:ADMIN,role_claim_value_2:USER`) -oidcOAuth2Config.roleMappings=00000002-0000-0000-c000-000000000000:ADMIN -# Default role, when no mapping has matched -oidcOAuth2Config.dropUnmapped=true ``` ### Google From f5e86f12493bfb38a57f0575b81effcd1dc846e3 Mon Sep 17 00:00:00 2001 From: Lorenzo Natali Date: Thu, 11 Jul 2024 16:59:12 +0200 Subject: [PATCH 3/5] Apply suggestions from code review --- docs/developer-guide/integrations/users/openId.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/developer-guide/integrations/users/openId.md b/docs/developer-guide/integrations/users/openId.md index cb6294892f..ea61922f63 100644 --- a/docs/developer-guide/integrations/users/openId.md +++ b/docs/developer-guide/integrations/users/openId.md @@ -184,6 +184,8 @@ Here an example of the configuration: oidcOAuth2Config.rolesClaim=wids # Optional group claims, if a claim contains groups, you can map them to MapStore groups. oidcOAuth2Config.groupsClaim=wids +# Optional "scopes". If not resent the scopes will be taken from the discovery doument +# oidcOAuth2Config.scopes=email,profile,customScope ``` ### Google From 4cedc0a8a69263655542b8c6ebc8e5246f115bbf Mon Sep 17 00:00:00 2001 From: Lorenzo Natali Date: Thu, 11 Jul 2024 17:02:19 +0200 Subject: [PATCH 4/5] Update openId.md --- docs/developer-guide/integrations/users/openId.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/docs/developer-guide/integrations/users/openId.md b/docs/developer-guide/integrations/users/openId.md index ea61922f63..ef09cf044c 100644 --- a/docs/developer-guide/integrations/users/openId.md +++ b/docs/developer-guide/integrations/users/openId.md @@ -78,6 +78,8 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore # oidcOAuth2Config.groupsClaim=groups # Enables global logout from SSO, if properly confugred. false by default # oidcOAuth2Config.globalLogoutEnabled=true +# Optiona scopes parameter, that allows to customize the scopes to reqeuest. If empty, MapStore will use the one present in the discovery document +# oidcOAuth2Config.scopes=email,profile ``` @@ -176,18 +178,6 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore } ``` -With Microsoft Azure you can configure the `rolesClaim` and `groupsClaim` to map the roles and groups to MapStore roles and groups. For example, if you have a claim `wids` that contains the groups, you can map them to MapStore roles and groups. -Here an example of the configuration: - -```properties -# Optional role claims, if a claim contains roles, you can map them to MapStore roles. (roles can be only ADMIN or USER) -oidcOAuth2Config.rolesClaim=wids -# Optional group claims, if a claim contains groups, you can map them to MapStore groups. -oidcOAuth2Config.groupsClaim=wids -# Optional "scopes". If not resent the scopes will be taken from the discovery doument -# oidcOAuth2Config.scopes=email,profile,customScope -``` - ### Google The Google OpenID Connect provider allows to use Google as an authentication provider. This is useful when you want to use Google as an authentication provider for your application. From 043e3af270e98e1415acf4dbf64cfcb5029bf4c7 Mon Sep 17 00:00:00 2001 From: Lorenzo Natali Date: Thu, 11 Jul 2024 17:02:38 +0200 Subject: [PATCH 5/5] Update docs/developer-guide/integrations/users/openId.md --- docs/developer-guide/integrations/users/openId.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developer-guide/integrations/users/openId.md b/docs/developer-guide/integrations/users/openId.md index ef09cf044c..425a3d8928 100644 --- a/docs/developer-guide/integrations/users/openId.md +++ b/docs/developer-guide/integrations/users/openId.md @@ -78,7 +78,7 @@ oidcOAuth2Config.internalRedirectUri=http://localhost:8080/mapstore # oidcOAuth2Config.groupsClaim=groups # Enables global logout from SSO, if properly confugred. false by default # oidcOAuth2Config.globalLogoutEnabled=true -# Optiona scopes parameter, that allows to customize the scopes to reqeuest. If empty, MapStore will use the one present in the discovery document +# Optional scopes parameter, that allows to customize the scopes to reqeuest. If empty, MapStore will use the one present in the discovery document # oidcOAuth2Config.scopes=email,profile ```