Re: [PR] GUACAMOLE-1844 : OIDC JWT claims as user token [guacamole-client]

Wed, 17 Jan 2024 12:56:25 -0800 


necouchman commented on code in PR #943:
URL: https://github.com/apache/guacamole-client/pull/943#discussion_r1456475774


##########
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java:
##########
@@ -202,4 +210,61 @@ public Set<String> processGroups(JwtClaims claims) throws 
GuacamoleException {
         // Could not retrieve groups from JWT
         return Collections.emptySet();
     }
+
+    /**
+     * Parses the given JwtClaims, returning the attributes contained
+     * therein, as defined by the attributes claim type given in
+     * guacamole.properties. If the attributes claim type is missing or
+     * is invalid, an empty set is returned.
+     *
+     * @param claims
+     *     A valid JwtClaims to extract attributes from.
+     *
+     * @return
+     *     A Map of String,String representing the attributes and values
+     *     from the OpenID provider point of view, or an empty Map if
+     *     claim is not valid or the attributes claim type is missing.
+     *
+     * @throws GuacamoleException
+     *     If guacamole.properties could not be parsed.
+     */
+    public Map<String, String> processAttributes(JwtClaims claims) throws 
GuacamoleException {
+        List<String> attributesClaim = confService.getAttributesClaimType();
+
+        if (claims != null && !attributesClaim.isEmpty()) {
+            try {
+                logger.debug("Iterating over attributes claim list : {}", 
attributesClaim);
+                // We suppose all claims are resolved, so the hashmap is 
initialised to
+                // the size of the configuration list
+                Map<String, String> tokens = new HashMap<String, 
String>(attributesClaim.size());
+                // We iterate over the configured attributes
+                for (String key: attributesClaim) {
+                    // Retrieve the corresponding claim
+                    String oidcAttr = claims.getStringClaimValue(key);
+                    // We do have a matching claim and it is not empty
+                    if (oidcAttr != null && !oidcAttr.isEmpty()) {
+                        // append the prefixed claim value to the token map 
with its value
+                        String tokenName = TokenName.canonicalize(key, 
OIDC_ATTRIBUTE_TOKEN_PREFIX);
+                        tokens.put(tokenName, oidcAttr);
+                        logger.debug("Claim {} found and set to {} as {}", 
key, tokenName, oidcAttr);

Review Comment:
   Yeah, I'm fine with the debug line being there, just think maybe leaving out 
the value would be good.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to