Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.15.x][ELY-2567] Automatically retrieve roles from an OIDC access token's "roles" claim if present #1918

Merged
merged 13 commits into from Jun 14, 2023
Merged

[1.15.x][ELY-2567] Automatically retrieve roles from an OIDC access token's "roles" claim if present #1918

merged 13 commits into from Jun 14, 2023

Conversation

fjuma
Copy link
Contributor

@fjuma fjuma commented Jun 13, 2023

fjuma and others added 13 commits June 8, 2023 10:51
@fjuma
[ELY-2362] Fix invalid configuration logic for bearer auth
cd2557e
@fjuma
[ELY-2362] Add support for the bearer-only option when using the OIDC…
0c62f94 
… HTTP mechanism
@fjuma
[ELY-2362] Add the ability to handle CORS preflight requests
01640ef
@fjuma
[ELY-2362] Ensure that a bearer token passed via an access_token quer…
201869a 
…y parameter can be processed appropriately
@fjuma
[ELY-2362] Add the ability to retrieve the bearer token using credent…
3fafb91 
…ials obtained from Basic auth
@fjuma
[ELY-2362] Return resource name if client-id hasn't been configured
875343a
@fjuma
[ELY-2362] Add tests for bearer-only authentication
38a29ce
@fjuma
[ELY-2362] Small fixes for bearer-only support
d4f222f
@fjuma
[ELY-2356] No need to sanitize the providerUrl
b32780c
@fjuma
[ELY-2357] Set the issuer URL for OIDC based on discovery
39d9716
@santoszv @fjuma
[ELY-2487] Misplaced invocation of isAutodetectedBearerOnly()
8931eed 
Method isAutodetectedBearerOnly() should be invoked after checking cached token.

Invoking isAutodetectedBearerOnly() early will break every AJAX request that relies on HTTP session. A clear example is JSF Partial Request, it will never send the header "Authorization" neither the query parameter "auth". During the initial load of view the user was authenticated, then the token was stored in HTTP session, so, JSF Partial Request relies on HTTP session onwards.

https://issues.redhat.com/browse/ELY-2487
@reinhapa @fjuma
[ELY-2303] enables combined realm & resource roles
d541f51 
Signed-off-by: Patrick Reinhart <patrick@reini.net>
@fjuma
[ELY-2567] Automatically retrieve roles from an OIDC access token's "…
e370634 
…roles" claim if present
@fjuma fjuma requested review from darranl and Skyllarr June 13, 2023 22:14
@fjuma fjuma merged commit 68e5df2 into wildfly-security:1.15.x Jun 14, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darranl darranl darranl approved these changes

@Skyllarr Skyllarr Skyllarr approved these changes

Assignees
No one assigned
Labels
Maintenance
Projects
None yet
Milestone
No milestone
5 participants
@fjuma @darranl @Skyllarr @santoszv @reinhapa