Feature/add groups suppport #347
Conversation
… are more easily reused
This adds support for rules like rules.1.groups=sysadmins,superusers rules.1.groupmode=any|all This looks for a `groups` claim on the token, which is not a part of the spec but provided by multiple providers. The serialized cookie is now a b64-encoded JSON payload, which attaches group information to the user. Validation includes comparing the user's authorized groups to the rules configured on the server. A groupmode of "any" (default) will permit the request if any of the given groups is matched. A mode of "all" will permit the request only if ALL the given groups are matched.
This adds support for rules like rules.1.groups=sysadmins,superusers rules.1.groupmode=any|all This looks for a `groups` claim on the token, which is not a part of the spec but provided by multiple providers. The serialized cookie is now a b64-encoded JSON payload, which attaches group information to the user. Validation includes comparing the user's authorized groups to the rules configured on the server. A groupmode of "any" (default) will permit the request if any of the given groups is matched. A mode of "all" will permit the request only if ALL the given groups are matched.
|
@thomseddon is there any plan to merge this PR ? What is blocking here? |
|
+1, merging this branch would be very useful =) what is blocking ? |
|
@thomasLeclaire @nOw-Ay : I'm afraid this repo' is close to dead. Next best move for whom might have time is to fork this repo' and support maintenance, starting with BOM to make sure dependencies are safe and maintained. |
Hello, thanks a lot for the quick reply. This is really weird because the maintainer did push a commit last week. I am currently working with your fork branch which adds group support. Do you feel like you will be able to maintain it ?(it currently, as you are surely well aware, two commits behind this repo, mainly dependencies and traefik version upgrades) |
|
Look beyond last week there are several years without activity here. Maybe tom tried to take it up again but I fear there's quite a bit to do before simple consumers like me can consider the product as "back to life". |
|
Indeed, If we as a community can agree on a few steps to clean this up with regards to long-term maintenance (automation, BOM, passing on the review torch, …), I'd be happy to contribute. Some of the tasks ahead are boring and tedious for experienced folks, but might come with a nice learning opportunity for others, in case some propose to review such works. In the past it has also shown useful to transfer the repository into its own organisation and to distribute access rights; not like with xz, but more like with notea; which can already help keep a project alive. Alternatively a fork can always be considered, which the license allows, but should remain a last resort. If it's the lack of time due to changed life circumstances, I agree that it's perfectly fine to state so and to seek a resolution with an eventual community, if desired. But nobody should be pushed into stating vulnerability or accepting help. It is also good to hear that we're here to step up and jump in, so nobody needs to be left alone with anything. |
|
@almereyda @toxic0berliner @Jufik @thomasLeclaire, I opened a discussion to allow all willing participants to exchange and find solutions about the current state of traefik-forward-auth. You are welcome to participate if you want to. |
Revamped this commit to allow groups support.
Should solve #162