Added configurable user identification logic:
- Introduced new properties to differentiate identification by `email` or `workdayId`. - Updated `SecurityConfig` to handle claims dynamically based on `application.properties` configuration.
This commit is contained in:
parent
ae10417c44
commit
a28a14d1d3
2 changed files with 40 additions and 46 deletions
|
|
@ -47,7 +47,10 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
|
||||||
import org.springframework.web.filter.OncePerRequestFilter;
|
import org.springframework.web.filter.OncePerRequestFilter;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.*;
|
import java.util.Arrays;
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
import java.util.function.Supplier;
|
import java.util.function.Supplier;
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -62,6 +65,18 @@ public class SecurityConfig {
|
||||||
@Value("${lcc.allowed_oauth_token_cors:*}") // Default: alle Origins
|
@Value("${lcc.allowed_oauth_token_cors:*}") // Default: alle Origins
|
||||||
private String oauthTokenCors;
|
private String oauthTokenCors;
|
||||||
|
|
||||||
|
@Value("${lcc.auth.identify.by}")
|
||||||
|
private String identifyBy;
|
||||||
|
|
||||||
|
@Value("${lcc.auth.claim.workday}")
|
||||||
|
private String workdayClaim;
|
||||||
|
|
||||||
|
@Value("${lcc.auth.claim.email}")
|
||||||
|
private String emailClaim;
|
||||||
|
|
||||||
|
@Value("${lcc.auth.claim.ignore.workday}")
|
||||||
|
private boolean ignoreWorkdayClaim;
|
||||||
|
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@Profile("!dev & !test") // Only active when NOT in dev profile
|
@Profile("!dev & !test") // Only active when NOT in dev profile
|
||||||
|
|
@ -253,57 +268,31 @@ public class SecurityConfig {
|
||||||
|
|
||||||
User user = null;
|
User user = null;
|
||||||
|
|
||||||
String workdayId = oidcUser.getAttribute("employeeid");
|
String workdayId = oidcUser.getAttribute(workdayClaim);
|
||||||
if (workdayId == null) {
|
String email = oidcUser.getAttribute(emailClaim);
|
||||||
workdayId = oidcUser.getAttribute("extension_WorkdayID");
|
|
||||||
}
|
|
||||||
if (workdayId == null) {
|
|
||||||
workdayId = oidcUser.getAttribute("workdayWorkerID");
|
|
||||||
}
|
|
||||||
if (workdayId == null) {
|
|
||||||
workdayId = oidcUser.getAttribute("onpremisesimmutableid");
|
|
||||||
}
|
|
||||||
if (workdayId == null) {
|
|
||||||
// Check for any extension attribute containing "workday"
|
|
||||||
Map<String, Object> claims = oidcUser.getIdToken().getClaims();
|
|
||||||
workdayId = claims.entrySet().stream()
|
|
||||||
.filter(e -> e.getKey().toLowerCase().contains("workday"))
|
|
||||||
.map(e -> String.valueOf(e.getValue()))
|
|
||||||
.findFirst()
|
|
||||||
.orElse(null);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Try different ways to get email
|
|
||||||
String email = oidcUser.getEmail();
|
|
||||||
if (email == null) {
|
|
||||||
email = oidcUser.getAttribute("email");
|
|
||||||
}
|
|
||||||
if (email == null) {
|
|
||||||
email = oidcUser.getAttribute("upn");
|
|
||||||
}
|
|
||||||
if (email == null) {
|
|
||||||
email = oidcUser.getAttribute("preferred_username");
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if (workdayId != null) {
|
if (identifyBy.equals("email") && email != null && !email.isEmpty()) {
|
||||||
user = userRepository.getByWorkdayId(workdayId);
|
log.debug("Fetch user by email {}", email);
|
||||||
if (user != null) {
|
|
||||||
user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
|
|
||||||
userId = user.getId();
|
|
||||||
}
|
|
||||||
} else if (email != null) {
|
|
||||||
user = userRepository.getByEmail(email);
|
user = userRepository.getByEmail(email);
|
||||||
if (user != null) {
|
|
||||||
user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
|
} else if (identifyBy.equals("workday") && workdayId != null && !workdayId.isEmpty()) {
|
||||||
userId = user.getId();
|
log.debug("Fetch user by workday id {}", workdayId);
|
||||||
}
|
user = userRepository.getByWorkdayId(workdayId);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (user == null) {
|
if (user != null) {
|
||||||
|
user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
|
||||||
|
userId = user.getId();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (user == null && email != null && (ignoreWorkdayClaim || workdayId != null)) {
|
||||||
var isFirstUser = userRepository.count() == 0;
|
var isFirstUser = userRepository.count() == 0;
|
||||||
userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), workdayId, isFirstUser));
|
userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), ignoreWorkdayClaim ? email : workdayId, isFirstUser));
|
||||||
mappedAuthorities.add(new SimpleGrantedAuthority(isFirstUser ? "ROLE_SERVICE" : "ROLE_NONE"));
|
mappedAuthorities.add(new SimpleGrantedAuthority(isFirstUser ? "ROLE_SERVICE" : "ROLE_NONE"));
|
||||||
|
} else {
|
||||||
|
log.debug("Unable to create user {} / {}", email, workdayId);
|
||||||
|
mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_NONE"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,3 +27,8 @@ lcc.allowed_oauth_token_cors=*
|
||||||
|
|
||||||
logging.level.org.springframework.ws=DEBUG
|
logging.level.org.springframework.ws=DEBUG
|
||||||
logging.level.org.springframework.oxm=DEBUG
|
logging.level.org.springframework.oxm=DEBUG
|
||||||
|
|
||||||
|
lcc.auth.identify.by=workday
|
||||||
|
lcc.auth.claim.workday=employeeid
|
||||||
|
lcc.auth.claim.email=preferred_username
|
||||||
|
lcc.auth.claim.ignore.workday=false
|
||||||
Loading…
Add table
Reference in a new issue