feat: add conditional authenticator that matches org and client attributes at runtime#438
Open
tchoumi313 wants to merge 2 commits intop2-inc:mainfrom
Open
feat: add conditional authenticator that matches org and client attributes at runtime#438tchoumi313 wants to merge 2 commits intop2-inc:mainfrom
tchoumi313 wants to merge 2 commits intop2-inc:mainfrom
Conversation
Implements a new conditional authenticator that checks if an organization's attribute value matches a client attribute. This allows dynamic tenant/org isolation at the authentication flow level without hardcoding values. - Checks org attribute against client attribute (retrieved at runtime) - Supports negate_output config for deny conditions - Mirrors ConditionalOrgAttributeValue pattern but uses client attributes - Fail-closed security model (denies on missing attributes)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new conditional authenticator that compares a user organization attribute against a client attribute value resolved at login time.
It is intended for multi-tenant setups where each OIDC client carries a tenant marker such as
tenant_id, and authentication should continue only when the user belongs to a matching organization.What is added
ConditionalOrgAttributeMatchesClientAttributeConditionalOrgAttributeMatchesClientAttributeFactoryconditional-org-client-attrBehavior
Config properties:
org_attribute_name(String): organization attribute key to check, for exampletenant_idclient_attribute_name(String): client attribute key containing the expected valuenegate_output(Boolean): invert the resultEvaluation flow:
client_attribute_nameorg_attribute_name == clientAttributeValuenegate_outputwhen configuredWhy this is needed
The existing
ConditionalOrgAttributeValueprovider compares an organization attribute against a static value configured in the authenticator.This new provider allows the expected value to come from the current client at runtime, so one shared flow can work across many tenant-specific clients without duplicating flows per tenant.
Security model
The provider is fail-closed by design.
Missing config, missing client attribute, missing
OrganizationProvider, or empty memberships evaluate to no-match.Validation
conditional-org-client-attrNotes
ConditionalOrgAttributeValue; it does not modify the behavior of the existing provider.