Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(Core): use groupClaim in @auth rule for oidc #847

Merged
merged 1 commit into from
Oct 22, 2020
Merged

fix(Core): use groupClaim in @auth rule for oidc #847

merged 1 commit into from
Oct 22, 2020

Conversation

wooj2
Copy link
Contributor

@wooj2 wooj2 commented Oct 21, 2020
edited
Loading

Updated the algorithm to support multiple read restricted group based rules. For example, if given the following schema:

 type OIDCMultiGroupPost
   @model
   @auth(
     rules: [
    { allow: owner, provider: oidc, identityClaim: "sub"},
    { allow: groups, provider: oidc, groups: ["Admins"],
                                   groupClaim: "https://myapp.com/claims/groups"},
    { allow: groups, provider: oidc, groups: ["Moderators", "Editors"],
                                   groupClaim: "https://differentapp.com/claims/groups"}
     ]
   ) {
   id: ID!
   title: String!
   owner: String
 }

The following examples of OIDC tokens with the following claims, will result in a subscription document that does not filter on the owner (since the user is part of at least one of the groups of a claim that was specified in the schema)

Example 1:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000",
 "https://myapp.com/claims/groups": ["Admins"]]

Example 2:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000",
 "https://differentapp.com/claims/groups": ["Moderators"]]

Example 3:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000",
 "https://differentapp.com/claims/groups": ["Moderators", "Editors"]]

On the other hand, the following examples of OIDC tokens with the following claims, will result in a subscription document that will filter on the owner (since the user is NOT part of any of the groups of a claim that was specified in the schema)

Example 4:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000"]

Example 5:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000",
 "https://differentapp.com/claims/groups": ["Admins"]]

Example 6:
["username": "user1",
 "sub": "123e4567-dead-beef-a456-426614174000",
 "https://differentapp.com/claims/groups": ["Users"]]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@wooj2 wooj2 requested review from lawmicha and raphkim October 21, 2020 23:32
@wooj2 wooj2 marked this pull request as ready for review October 22, 2020 04:41
@wooj2 wooj2 added datastore Issues related to the DataStore category core Amplify Core components api Issues related to the API category and removed datastore Issues related to the DataStore category labels Oct 22, 2020
@wooj2 wooj2 requested a review from TrekSoft October 22, 2020 14:56
TrekSoft
TrekSoft approved these changes Oct 22, 2020
View reviewed changes
Copy link
Contributor

@TrekSoft TrekSoft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cat18u3

Base automatically changed from main-oidc-factory to main October 22, 2020 16:26
lawmicha
lawmicha reviewed Oct 22, 2020
View reviewed changes
AmplifyPlugins/Core/AWSPluginsCore/Model/Support/AuthRule+Extension.swift Outdated Show resolved Hide resolved
AmplifyPlugins/Core/AWSPluginsCore/Model/Decorator/AuthRuleDecorator.swift Outdated Show resolved Hide resolved
AmplifyPlugins/Core/AWSPluginsCore/Model/Decorator/AuthRuleDecorator.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
.../AWSPluginsCoreTests/Model/Decorator/AuthRuleDecorator/ModelWithOwnerAuthAndMultiGroup.swift Outdated Show resolved Hide resolved
@wooj2 wooj2 force-pushed the main-oidc-factory-groupoidc branch from 0b2e0b5 to d457707 Compare October 22, 2020 17:32
@wooj2 wooj2 force-pushed the main-oidc-factory-groupoidc branch from d457707 to 3d075a0 Compare October 22, 2020 17:32
@wooj2 wooj2 merged commit e664d66 into main Oct 22, 2020
@wooj2 wooj2 deleted the main-oidc-factory-groupoidc branch October 22, 2020 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TrekSoft TrekSoft TrekSoft approved these changes

@lawmicha lawmicha lawmicha approved these changes

@raphkim raphkim Awaiting requested review from raphkim

Assignees
No one assigned
Labels
api Issues related to the API category core Amplify Core components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wooj2 @lawmicha @TrekSoft