Skip to content

feat: sso admin mapping support#102

Open
BoxBoxJason wants to merge 2 commits intoZimengXiong:mainfrom
BoxBoxJason:feat/sso-admin-support
Open

feat: sso admin mapping support#102
BoxBoxJason wants to merge 2 commits intoZimengXiong:mainfrom
BoxBoxJason:feat/sso-admin-support

Conversation

@BoxBoxJason
Copy link
Copy Markdown

@BoxBoxJason BoxBoxJason commented Mar 19, 2026
edited
Loading

Warning

I am not a cybersecurity expert, the "security" aspects of this PR should be reviewed with utmost care

This PR adds the support of an optional mapping for admin groups when using OIDC SSO.

Combining the variables:

  • OIDC_GROUPS_CLAIM that specifies to the backend pod where in the jwt response from OIDC the groups are located
  • OIDC_ADMIN_GROUPS that specifies to the backend pod which group(s) are supposed to be admin (anyone not in them will NOT be admin)

Caution

When these parameters are set, the default first user to connect is NO LONGER admin by default
Also, if these parameters are set, manually setting someone as admin will NO LONGER WORK, because the OIDC provider groups become the source of truth for who is admin

Every route call now re evaluates if the user is admin or not before processing.

The README was updated to showcase these new available parameters.

This adds many unit tests for authentication (those were AI generated, they are very complete)

Closes #99

This also fixes some minor issues:

  • First one being that the current test setup was not fully functionnal, because the backend pod AND the browser had to reach "localhost:8080" which was not possible (for the backend, because it was reaching itself instead of keycloak)
  • Fixed an issue with the example keycloak client created. It did not seem like the "PUBLIC" client was working in the dev setup, so I forced a "PRIVATE" one.
  • An optional OIDC_DISCOVERY_URL variable was added to be able to give a separate "discovery" endpoint to the backend than the one the browser will use. (Useful for people who wish to use an internal URL for the backend to reach)
  • Applied autoformat (prettier-eslint with default configuration) on the files I edited for better readability

Note

This was fully tested with the exact setup in the docker-compose.yml and the docker-compose.oidc.yml. In the keycloak, I just manually created one "admins" group, with one user inside, and created a protocol mapper for the groups in the client (default scopes)

@ebuildy
Copy link
Copy Markdown

ebuildy commented Mar 19, 2026

Amazing PR, we strongly need this feature in our team , many thanks 😊

@BoxBoxJason
feat: support SSO admin mapping
eed1dcb 
Signed-off-by: BoxBoxJason <contact@boxboxjason.dev>
@BoxBoxJason
fix: unreachable OIDC on dev mode
f78809e 
Signed-off-by: BoxBoxJason <contact@boxboxjason.dev>
@BoxBoxJason BoxBoxJason force-pushed the feat/sso-admin-support branch from fb58d56 to f78809e Compare March 22, 2026 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: support SSO admin mapping

2 participants

@BoxBoxJason @ebuildy