You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
chrislu
2add9e1523
🌐 IMPLEMENT OIDC USERINFO ENDPOINT: Complete Enterprise OIDC Integration!
MAJOR ENHANCEMENT: Full OIDC UserInfo Endpoint Integration
🏆 PRODUCTION-READY USERINFO INTEGRATION:
- Real HTTP calls to OIDC UserInfo endpoints with Bearer token authentication
- Automatic endpoint discovery using standard OIDC convention (/.../userinfo)
- Configurable UserInfoUri for custom provider endpoints
- Complete claim mapping from UserInfo response to SeaweedFS identity
- Comprehensive error handling for authentication and network failures
✅ COMPLETE USERINFO OPERATIONS:
- GetUserInfoWithToken: Retrieve user information with access token
- getUserInfoWithToken: Internal implementation with HTTP client integration
- mapUserInfoToIdentity: Map OIDC claims to ExternalIdentity structure
- Custom claims mapping support for non-standard OIDC providers
🚀 ENTERPRISE-GRADE FEATURES:
- HTTP client with configurable timeouts and proper header handling
- Bearer token authentication with Authorization header
- JSON response parsing with comprehensive claim extraction
- Standard OIDC claims support (sub, email, name, groups)
- Custom claims mapping for enterprise identity provider integration
- Multiple group format handling (array, single string, mixed types)
🔧 COMPREHENSIVE CLAIM MAPPING:
- Standard OIDC claims: sub → UserID, email → Email, name → DisplayName
- Groups claim: Flexible parsing for arrays, strings, or mixed formats
- Custom claims mapping: Configurable field mapping via ClaimsMapping config
- Attribute storage: All additional claims stored as custom attributes
- JSON serialization: Complex claims automatically serialized for storage
✅ ROBUST ERROR HANDLING & VALIDATION:
- Bearer token validation and proper HTTP status code handling
- 401 Unauthorized responses for invalid tokens
- Network error handling with descriptive error messages
- JSON parsing error recovery with detailed failure information
- Empty token validation and proper error responses
🧪 COMPREHENSIVE TEST COVERAGE (6/6 PASSING):
- TestOIDCProviderUserInfo/get_user_info_with_access_token ✅
- TestOIDCProviderUserInfo/get_admin_user_info (role-based responses) ✅
- TestOIDCProviderUserInfo/get_user_info_without_token (error handling) ✅
- TestOIDCProviderUserInfo/get_user_info_with_invalid_token (401 handling) ✅
- TestOIDCProviderUserInfo/get_user_info_with_custom_claims_mapping ✅
- TestOIDCProviderUserInfo/get_user_info_with_empty_id (validation) ✅
🎯 PRODUCTION USE CASES SUPPORTED:
- Google Workspace: Full user info retrieval with groups and custom claims
- Microsoft Azure AD: Enterprise directory integration with role mapping
- Auth0: Custom claims and flexible group management
- Keycloak: Open source OIDC provider integration
- Custom OIDC Providers: Configurable claim mapping and endpoint URLs
🔒 SECURITY & COMPLIANCE:
- Bearer token authentication per OIDC specification
- Secure HTTP client with timeout protection
- Input validation for tokens and configuration parameters
- Error message sanitization to prevent information disclosure
- Standard OIDC claim validation and processing
This completes the OIDC provider implementation with full UserInfo endpoint
support, enabling enterprise SSO integration with any OIDC-compliant provider!
All OIDC tests passing ✅ - Ready for production deployment
|
2 months ago |
.. |
admin
|
Admin UI: Fetch task logs (#7114)
|
2 months ago |
cluster
|
add CORS tests (#7001)
|
3 months ago |
command
|
S3 API: Add integration with KMS providers (#7152)
|
2 months ago |
credential
|
Filer Store: postgres backend support pgbouncer (#7077)
|
2 months ago |
filer
|
S3 API: Add SSE-KMS (#7144)
|
2 months ago |
filer_client
|
Admin UI: Add message queue to admin UI (#6958)
|
3 months ago |
glog
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
iam
|
🌐 IMPLEMENT OIDC USERINFO ENDPOINT: Complete Enterprise OIDC Integration!
|
2 months ago |
iamapi
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
images
|
Migrates from disintegration/imaging c2019 to cognusion/imaging c2024. (#5533)
|
1 year ago |
kms
|
S3 API: Add integration with KMS providers (#7152)
|
2 months ago |
mount
|
weed/mount: refactor to use atomic type (#7157)
|
2 months ago |
mq
|
Context cancellation during reading range reading large files (#7093)
|
2 months ago |
notification
|
fix: dead letter message log message (#7072)
|
2 months ago |
operation
|
S3 API: Add SSE-S3 (#7151)
|
2 months ago |
pb
|
S3 API: Add SSE-S3 (#7151)
|
2 months ago |
query
|
move to https://github.com/seaweedfs/seaweedfs
|
3 years ago |
remote_storage
|
fix for baidu cloud storage
|
2 months ago |
replication
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
s3api
|
format
|
2 months ago |
security
|
remove spoof-able request header (#7103)
|
2 months ago |
sequence
|
remove unused function
|
1 year ago |
server
|
S3 API: Add integration with KMS providers (#7152)
|
2 months ago |
sftpd
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
shell
|
Shell: support regular expression for collection selection (#7158)
|
2 months ago |
static
|
Fix Broken Links (#5287)
|
2 years ago |
stats
|
[volume] refactor and add metrics for flight upload and download data limit condition (#6920)
|
3 months ago |
storage
|
Fix volume allocation with max=0 and minFreeSpace - prevent allocate-then-delete behavior (#7147)
|
2 months ago |
telemetry
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
topology
|
select the appropriate functions based on the useReservations flag
|
2 months ago |
util
|
S3 API: Add SSE-KMS (#7144)
|
2 months ago |
wdclient
|
convert error fromating to %w everywhere (#6995)
|
3 months ago |
worker
|
S3 API: Add SSE-KMS (#7144)
|
2 months ago |
Makefile
|
test versioning also (#7000)
|
3 months ago |
weed.go
|
set exit status
|
7 months ago |