Add authentication from upstream providers (#107)
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Let BasicOIDC delegate authentication to upstream providers (Google, GitHub, GitLab, Keycloak...) Reviewed-on: #107
This commit is contained in:
@@ -1,9 +1,11 @@
|
||||
use std::collections::HashMap;
|
||||
use std::net::IpAddr;
|
||||
|
||||
use crate::actors::users_actor::AuthorizedAuthenticationSources;
|
||||
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
|
||||
use crate::data::client::{Client, ClientID};
|
||||
use crate::data::login_redirect::LoginRedirect;
|
||||
use crate::data::provider::{Provider, ProviderID};
|
||||
use crate::data::totp_key::TotpKey;
|
||||
use crate::data::webauthn_manager::WebauthnPubKey;
|
||||
use crate::utils::time::{fmt_time, time};
|
||||
@@ -114,6 +116,10 @@ impl Successful2FALogin {
|
||||
}
|
||||
}
|
||||
|
||||
fn default_true() -> bool {
|
||||
true
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
||||
pub struct User {
|
||||
pub uid: UserID,
|
||||
@@ -142,6 +148,14 @@ pub struct User {
|
||||
/// None = all services
|
||||
/// Some([]) = no service
|
||||
pub authorized_clients: Option<Vec<ClientID>>,
|
||||
|
||||
/// Authorize connection through local login
|
||||
#[serde(default = "default_true")]
|
||||
pub allow_local_login: bool,
|
||||
|
||||
/// Allowed third party providers
|
||||
#[serde(default)]
|
||||
pub allow_login_from_providers: Vec<ProviderID>,
|
||||
}
|
||||
|
||||
impl User {
|
||||
@@ -162,6 +176,19 @@ impl User {
|
||||
)
|
||||
}
|
||||
|
||||
/// Get the list of sources from which a user can authenticate from
|
||||
pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources {
|
||||
AuthorizedAuthenticationSources {
|
||||
local: self.allow_local_login,
|
||||
upstream: self.allow_login_from_providers.clone(),
|
||||
}
|
||||
}
|
||||
|
||||
/// Check if a user can authenticate using a givne provider or not
|
||||
pub fn can_login_from_provider(&self, provider: &Provider) -> bool {
|
||||
self.allow_login_from_providers.contains(&provider.id)
|
||||
}
|
||||
|
||||
pub fn granted_clients(&self) -> GrantedClients {
|
||||
match self.authorized_clients.as_deref() {
|
||||
None => GrantedClients::AllClients,
|
||||
@@ -296,6 +323,8 @@ impl Default for User {
|
||||
two_factor_exemption_after_successful_login: false,
|
||||
last_successful_2fa: Default::default(),
|
||||
authorized_clients: Some(Vec::new()),
|
||||
allow_local_login: true,
|
||||
allow_login_from_providers: vec![],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user