- Notifications
You must be signed in to change notification settings - Fork920
chore: add query to fetch top level idp claim fields#15525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Emyrk commentedNov 18, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Done. Uses 1 |
664e734 to2dae39bCompare| -- name: OIDCClaimFields :many | ||
| -- OIDCClaimFields returns a list of distinct keys in the the merged_claims fields. | ||
| -- This query is used to generate the list of available sync fields for idp sync settings. | ||
| SELECT | ||
| DISTINCT jsonb_object_keys(claims->'merged_claims') | ||
| FROM | ||
| user_links |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
To confirm, this data comes from the claims we get from user links, so a new user log in with claims we haven't seen before it would add to this list and next time this endpoint is hit it would have new data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Correct 👍
| // @Param organization path string true "Organization ID" format(uuid) | ||
| // @Success 200 {array} string | ||
| // @Router /settings/idpsync/available-fields [get] | ||
| func (api *API) deploymentIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Why do we need a deployment level endpoint again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Organization sync is configured by deployment level admins (user-admins and owner). They configure IDP sync based on all users in the deployment.
The RBAC permissions prevent org admins from hitting the deployment wide api.
c3c23ed intomainUh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Supportscoder/internal#210
Adds an api endpoint to grab all available sync field options for IDP sync. This is for autocomplete on idp sync forms. This is required for organization admins to have some insight into the claim fields available when configuring group/role sync.
Given claims such as:
{"merged_claims":{"hd":"...","aud":"...","azp":"...","iss":"...","sub":"115135273038497292934","name":"Alice","email":"alice@example.com","at_hash":"...","given_name":"Alice","family_name":"Smith","groups":["developers","cyclists" ],"roles":["coder-engineer" ],"email_verified":true }}This query returns:
["hd", "aud", "azp", "iss", "sub", "name", "email", "at_hash", "given_name", "family_name", "groups", "roles", "email_verified"]