Problem/Motivation
The fact to have to connect as an administrator to adjust roles (because they are blacklisted in the account creation) is bothering and not as smooth as it can be.
When the access token is a JWT it can contains roles (or likely "groups") claims which should be mappable automatically as drupal account roles (can be a role name -> drupal role mapping to start for example or something more implicit).
This would enable to have a fully auto provisioning of the user - updated for each login probably - and reduce admin pression/requirement.
A prerequisite is indeed to validate the JWT signature to ensure it can be trusted - there are other issues about it.
Steps to reproduce
Setup the plugin then log in with a JWT containing any specific role (even admin potentially) and then ensure this role is in the created account.
Proposed resolution
Implement the feature.
Remaining tasks
TODO.
User interface changes
Add a toggle to enable this feature,
Likely the JWT validation form (issuer, kid, typ, expiry, public key/pem - at least RS256 which seems the most used one).
Add the table mapping UI to configure the automatic role mapping.
API changes
Don't think it needs any since there is already a callback at the correct position to implement it so this issue is just about making it a built-in feature.
Data model changes
Role mapping table.
Issue fork openid_connect-3166508
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- openid_connect-3166508-v3.x compare
- 3.x compare
- 3011413-autologin-when-one compare
- backport/8.x-1.1/openid_connect-3166508 compare
- branch-8.x-1.1 compare
- 8.x-1.x compare
- openid_connect-3166508 changes, plain diff MR !24
- 2.x changes, plain diff MR !20
- backport/8.x-1.x/openid_connect-3166508 changes, plain diff MR !26
- 3166508-enable-to-automatically compare
Comments
Comment #3
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedComment #4
jcnventura CreditAttribution: jcnventura at 1xINTERNET commented1.x is no longer getting new features
Comment #7
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedPlease rebase this to the latest 2.x state.
Comment #11
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedNão há problema Carina :) Bem-vinda ao Drupal.
Comment #12
kosamara CreditAttribution: kosamara commentedHi @jcnventura ! Maybe this issue can be marked for review? We're testing Carina's patch for use on our infrastructure at CERN.