public/hass-oidc-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add feature toggle to disable groups scope (#39)

Browse Source 
* Update README.md

Ad two to dos:
- bool for scopes
- "groups" scope configurable

* Update README.md

- Add scope bool to configuration options

* Final Update for making scope "groups" optinal

README:
Add scope bool to configuration options
Add two to dos:

bool for scopes
"groups" scope configurable

config:
Make scope "groups" a feature which can be deactivated

init:
Make the feature for the groups bool working in the scope variable

* Remove double description

* Update config.py
This commit is contained in:
Tom Kölsch
2025-02-14 19:03:14 +01:00
committed by GitHub
parent b39a65ff74
commit 29a2545396
3 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -66,6 +66,7 @@ With the default configuration, [a person entry](https://www.home-assistant.io/i
| `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. | | `features.automatic_user_linking` | `boolean`| No | `false` | Automatically links users to existing Home Assistant users based on the OIDC username claim. Disabled by default for security. When disabled, OIDC users will get their own new user profile upon first login. |
| `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. | | `features.automatic_person_creation` | `boolean` | No | `true` | Automatically creates a person entry for new user profiles created by this integration. Recommended if you would like to assign presence detection to OIDC users. |
| `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. | | `features.disable_rfc7636` | `boolean`| No | `false` | Disables PKCE (RFC 7636) for OIDC providers that don't support it. You should not need this with most providers. |
| `features.include_groups_scope` | `boolean` | No | `true` | Include the 'groups' scope in the OIDC request. Set to `false` to exclude it. |
| `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name. | `claims.display_name` | `string` | No | `name` | The claim to use to obtain the display name.
| `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username. | `claims.username` | `string` | No | `preferred_username` | The claim to use to obtain the username.
| `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). | | `claims.groups` | `string` | No | `groups` | The claim to use to obtain the user's group(s). |
@@ -134,6 +135,8 @@ Currently, this is a pre-alpha, so I welcome issues but I cannot guarantee I can
- [ ] Configure Dependabot for automatic updates - [ ] Configure Dependabot for automatic updates
- [ ] Configure tests - [ ] Configure tests
- [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6) - [ ] Consider use of setup UI instead of YAML (see https://github.com/christiaangoossens/hass-oidc-auth/discussions/6)
- [ ] Create a configurable bool for scope "groups" to activate/deactivate
- [ ] Make scope "groups" a configurable custom scope
Currently waiting on HA feature additions: Currently waiting on HA feature additions:

6
custom_components/auth_oidc/__init__.py
View File

@@ -20,6 +20,7 @@ from .config import (
CLAIMS, CLAIMS,
ROLES, ROLES,
NETWORK, NETWORK,
FEATURES_INCLUDE_GROUPS_SCOPE,
) )
# pylint: enable=useless-import-alias # pylint: enable=useless-import-alias
@@ -53,7 +54,10 @@ async def async_setup(hass: HomeAssistant, config):
_LOGGER.info("Registered OIDC provider") _LOGGER.info("Registered OIDC provider")
# We only use openid, profile & groups, never email # We only use openid, profile & groups, never email
scope = "openid profile groups" include_groups_scope = my_config[FEATURES].get(FEATURES_INCLUDE_GROUPS_SCOPE, True)
scope = "openid profile"
if include_groups_scope:
scope += " groups"
oidc_client = oidc_client = OIDCClient( oidc_client = oidc_client = OIDCClient(
hass=hass, hass=hass,

5
custom_components/auth_oidc/config.py
View File

@@ -11,6 +11,7 @@ FEATURES = "features"
FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking" FEATURES_AUTOMATIC_USER_LINKING = "automatic_user_linking"
FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation" FEATURES_AUTOMATIC_PERSON_CREATION = "automatic_person_creation"
FEATURES_DISABLE_PKCE = "disable_rfc7636" FEATURES_DISABLE_PKCE = "disable_rfc7636"
FEATURES_INCLUDE_GROUPS_SCOPE = "include_groups_scope"
CLAIMS = "claims" CLAIMS = "claims"
CLAIMS_DISPLAY_NAME = "display_name" CLAIMS_DISPLAY_NAME = "display_name"
CLAIMS_USERNAME = "username" CLAIMS_USERNAME = "username"
@@ -56,6 +57,10 @@ CONFIG_SCHEMA = vol.Schema(
# Feature flag to disable PKCE to support OIDC servers that do not # Feature flag to disable PKCE to support OIDC servers that do not
# allow additional parameters and don't support RFC 7636 # allow additional parameters and don't support RFC 7636
vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool), vol.Optional(FEATURES_DISABLE_PKCE): vol.Coerce(bool),
# Make a bool which activates and deactivates scope 'groups'
vol.Optional(
FEATURES_INCLUDE_GROUPS_SCOPE, default=True
): vol.Coerce(bool),
} }
), ),
# Determine which specific claims will be used from the id_token # Determine which specific claims will be used from the id_token