feat: Add ability to ignore roles when logging in with SSO (#534)

Closes #533
2025-07-18 20:59:44 +02:00 · 2023-10-25 23:01:35 +02:00 · 2023-10-25 23:01:35 +02:00 · e41a434fc8
commit e41a434fc8
parent 43f196c9e6
5 changed files with 9 additions and 0 deletions
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@ -45,6 +45,7 @@ services:
      # - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
    depends_on:
      - postgres

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -45,6 +45,7 @@ services:
      # - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_IGNORE_ROLES=true
    depends_on:
      - postgres

--- a/server/.env.sample
+++ b/server/.env.sample
@ -28,6 +28,7 @@ SECRET_KEY=notsecretkey
 # OIDC_SCOPES=openid email profile
 # OIDC_ADMIN_ROLES=admin
 # OIDC_ROLES_ATTRIBUTE=groups
+# OIDC_IGNORE_ROLES=true

 ## Do not edit this

--- a/server/api/helpers/users/get-or-create-one-using-oidc.js
+++ b/server/api/helpers/users/get-or-create-one-using-oidc.js
@ -92,6 +92,11 @@ module.exports = {

    const updateFieldKeys = ['email', 'isAdmin', 'isSso', 'name', 'username'];

+    if (sails.config.custom.oidcIgnoreRoles) {
+      // Remove isAdmin from updateFieldKeys
+      updateFieldKeys.splice(updateFieldKeys.indexOf('isAdmin'), 1);
+    }
+
    const updateValues = {};
    // eslint-disable-next-line no-restricted-syntax
    for (const k of updateFieldKeys) {
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -39,6 +39,7 @@ module.exports.custom = {
  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
+  oidcIgnoreRoles : process.env.OIDC_IGNORE_ROLES || false,

  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${