magda-io / magda-auth-oidc Goto Github PK

Allow autoMapOrg works when the user has multiple org membership

We currently rely on org_name claim to auto map user org to Magda org.

When a user has multiple org membership, the Idp should shows an org selection screen after correct credential is supplied by the user and the user is required to select one org to complete the sign in process.

In this case, org_name claim of the user's ID token would be the name of org that the user selects during the sign in process.

For this OIDC auth plugin, we have two options to handle this situation:

• Option 1: update the orgUnitId field of the relevant Magda user record on the user's every sign in.
  • We will only need to maintain one Magda user record with orgUnitId changing depends on the user's selection.
  • Magda doesn't store all information of the user. e.g. we only know the user is associated with org at any point in time.
• Option 2: Map user's multiple org membership to multiple Magda user record
  • When the user select different org, he actually sign into different Magda account
  • We actually maintain multiple Magda user records for one Idp user. But Magda does store all information of the user.

Option 2 might be the preferred solution as it allow Magda to generate full picture of the user without querying Idp.

This ticket #6 implemented logout workflow with auto patching for auth0.com.

However, currently, the auth0.com specific feature only available when the issuer domain contains auth0.com.

This ticket is about adding a new config option that allows explicitly turn on the patching behaviour for auth0 endpoint with custom domains.

Allow setting default user role id

Allow (optionally) setting the default user role id when first time logged in

Implement logout endpoints as per OpenID Connect RP-Initiated Logout 1.0

The similar feature has already been Implemented in: https://github.com/magda-io/magda-auth-okta.
Reference:

• https://openid.net/specs/openid-connect-rpinitiated-1_0.html
• https://auth0.com/docs/authenticate/login/logout/log-users-out-of-auth0
• https://developer.okta.com/docs/reference/api/oidc/#logout
• https://developer.okta.com/docs/guides/sign-users-out/nodeexpress/main/

This ticket will:

• adopt the similar implementation
• auto turn on / off logout endpoint by checking OIDC issuer config

Technical Notes:

• Auth0's logout implementations not comfort OIDC spec and not list its endpoint on it's OIDC config
  • we will need to accommodate this

Getting error when attempting to login using an OIDC connection.
Sign In Failed: TimeoutError: Timeout awaiting 'request' for 2500ms

Happens consistently on the first login attempt and usually works on the second attempt, with an OIDC connection to AWS Cognito. Doing some searching around the internets It may be linked to a default value in an OIDC middleware library. (https://devforum.okta.com/t/timeouterror-timeout-awaiting-request-for-2500ms/9878/5) Is the only related post on this issue I could find.

I've tried setting the timeout value for this plugin, but the default value of 10000ms already far exceeds the value cause an error.