[#60151] enable nextcloud storages with sso strategy #17865
Conversation
- https://community.openproject.org/work_packages/60151 - add decision logic, which strategy to use for nextcloud storages - add sso user token logic with token exchange
...n/storages/peripherals/storage_interaction/authentication_strategies/one_drive_strategies.rb
Outdated
Show resolved
Hide resolved
...n/storages/peripherals/storage_interaction/authentication_strategies/nextcloud_strategies.rb
Outdated
Show resolved
Hide resolved
|
Yep, @NobodysNightmare , I was thinking about how to test the new code. Testing the new strategies makes definitely sense. Should we have a unit test for the |
|
Caution The provided work package version does not match the core version Details:
Please make sure that:
|
...ges/app/common/storages/peripherals/storage_interaction/authentication_strategies/failure.rb
Show resolved
Hide resolved
...n/storages/peripherals/storage_interaction/authentication_strategies/nextcloud_strategies.rb
Outdated
Show resolved
Hide resolved
| @@ -34,6 +36,7 @@ | |||
| sequence(:mail) { |n| "bobmail#{n}[email protected]" } | |||
| password { "adminADMIN!" } | |||
| password_confirmation { "adminADMIN!" } | |||
| identity_url { nil } | |||
There was a problem hiding this comment.
🟢 Is there a case where this is filled and the user wasn't provided by a 3rd party (or the other way around)?
There was a problem hiding this comment.
or the other way around)
I think if a user logs in through LDAP, the identity_url is empty/nil. Not sure if this counts for what you have in mind, because in that case we present the authentication form, but we forward the password check to LDAP.
There was a problem hiding this comment.
Right now, our whole check for authentication_provider on a user goes through this property. It was missing in the factory, hence I added it.
There was a problem hiding this comment.
Let me put this other way: can we track the IdP of the user from this? Let's say we have 2 different OIDC IdPs or a mix of OIDC/SAML?
SAML also fills this value and would be absolutely worthless for us. =/ We may need to parse it somehow as it follows the slug:idp-user-id format.
There was a problem hiding this comment.
yep, this is how it is parsed in the user model:
def authentication_provider
return nil if identity_url.blank?
slug = identity_url.split(":", 2).first
AuthProvider.find_by(slug:)
endThere was a problem hiding this comment.
Not, that I know of. Maybe we should?
There was a problem hiding this comment.
Oh, yeah. We are dealing specifically with OIDC not all SSO solutions so things like SAML/LDAP.
There was a problem hiding this comment.
I guess right now we'd want SAML users to use two-way-oauth2 instead of SSO, correct?
There was a problem hiding this comment.
I think LDAP does not fill the identity_url.
...herals/storage_interaction/authentication_strategies/nextcloud_strategies/user_bound_spec.rb
Show resolved
Hide resolved
...on/storages/peripherals/storage_interaction/authentication_strategies/sso_user_token_spec.rb
Outdated
Show resolved
Hide resolved
Ticket
OP#60151
What are you trying to accomplish?
What approach did you choose and why?