Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a check on the issuer of the token for IRIS IAM #431

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
+14 −10
Draft

Add a check on the issuer of the token for IRIS IAM #431

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions lib/Authentication/AuthTokens/IAMAuthToken.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,20 @@ public function getPrinciple() {

private function getAttributesInitToken(){
if(isset($_SERVER['OIDC_access_token'])){
$this->principal = $_SERVER["REMOTE_USER"];
$this->userDetails = array('AuthenticationRealm' => array('IRIS IAM - OIDC'));
//Don't allow access if user only has a local account on IRIS
if(strpos($_SERVER['OIDC_CLAIM_groups'], "localAccounts")===false){
}else{
die('You must login via your organisation on IRIS IAM to gain access to this site.');
}
//Don't allow access unless user is a member of the IRIS gocdb group
if(strpos($_SERVER['OIDC_CLAIM_groups'], "gocdb")===false and in_array('gocdb', $_SERVER['OIDC_CLAIM_groups'])===false){
die('You do not belong to the correct group to gain access to this site. Please visit iris-iam.stfc.ac.uk and submit a request to join the GOCDB group. This shall be reviewed by a GOCDB admin.');
# Token issuer could be either https://iris-iam.stfc.ac.uk/ or https://iris-iam.stfc.ac.uk
# depending on whether OIDC or OAuth is being used.
if (($_SERVER['OIDC_CLAIM_iss'] === "https://iris-iam.stfc.ac.uk/") or ($_SERVER['OIDC_CLAIM_iss'] === "https://iris-iam.stfc.ac.uk")) {
$this->principal = $_SERVER["REMOTE_USER"];
$this->userDetails = array('AuthenticationRealm' => array('IRIS IAM - OIDC'));
//Don't allow access if user only has a local account on IRIS
if(strpos($_SERVER['OIDC_CLAIM_groups'], "localAccounts")===false){
}else{
die('You must login via your organisation on IRIS IAM to gain access to this site.');
}
//Don't allow access unless user is a member of the IRIS gocdb group
if(strpos($_SERVER['OIDC_CLAIM_groups'], "gocdb")===false and in_array('gocdb', $_SERVER['OIDC_CLAIM_groups'])===false){
die('You do not belong to the correct group to gain access to this site. Please visit iris-iam.stfc.ac.uk and submit a request to join the GOCDB group. This shall be reviewed by a GOCDB admin.');
}
}
}
}
Expand Down