You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR add support for OIDC Group verification during the authentication process for the PocketID provider.
Currently, access is restricted to users whose emails are explicitly listed in the panel or those who have a custom claim (remnawaveClaim). This change allows for a more standard OIDC flow by restricting access based on the groups claim provided in the ID token.
Frontend
Need to add new field + logic (what should be filled or field with mail/group) + I18N to support new fields.
New 'AllowedGroups' Field Added
A new category named 'AllowedGroups' is now part of the OAuth2 settings. This category will be of list type, containing names of usergroups.
Configuration Initialization updated
The above mentioned 'AllowedGroups' category has been successfully added to the initial configuration seeding process as an empty list.
Enhanced Access Control through Conditional Authorization
The Authentication Service now has refined user access control. It includes the 'AllowedGroups' while constructing the user authorization URL, facilitating conditional access based on group memberships.
Validation Logic for User Group Matching
A validation mechanism is now in place in the Authentication Service to cross-verify if a user belongs to an allowed group. This adds another layer of access control based on group memberships.
Updated Error Messaging
The error messages have been updated to cover checks for both user email validation as well as group membership requirements.
Added OIDC groups verification for PocketID authentication. The schema and seed files correctly add the allowedGroups field, but the implementation has a critical bug that prevents the feature from working.
Critical Issues:
Undefined variable pocketIdSettings used in three locations (lines 450, 782, 789) in auth.service.ts - this will cause runtime ReferenceError exceptions
Should be remnawaveSettings.oauth2Settings.pocketid instead
Implementation Logic:
Conditionally adds 'groups' scope to OAuth2 authorization if allowedGroups is configured
Checks user's group membership after email and custom claim checks
Falls back to deny if none of the checks pass (custom claim → allowed emails → allowed groups)
Confidence Score: 0/5
This PR has critical bugs that will cause runtime failures and prevent the feature from working
The code references an undefined variable pocketIdSettings in three locations, which will throw ReferenceError exceptions when PocketID authentication is attempted with group-based access control. This is a blocking issue that makes the feature completely non-functional.
src/modules/auth/auth.service.ts requires immediate attention - all three references to pocketIdSettings must be changed to remnawaveSettings.oauth2Settings.pocketid
sequenceDiagram
participant User
participant Frontend
participant AuthService
participant PocketID
participant Database
User->>Frontend: Click PocketID login
Frontend->>AuthService: oauth2Authorize(POCKETID)
AuthService->>Database: Get remnawave settings
Database-->>AuthService: Settings with allowedGroups
alt allowedGroups configured
AuthService->>AuthService: Add 'groups' to scopes
end
AuthService->>PocketID: Redirect to authorize with scopes
PocketID->>User: Show consent screen
User->>PocketID: Approve
PocketID-->>Frontend: Redirect with code
Frontend->>AuthService: oauth2Callback(code)
AuthService->>PocketID: Exchange code for tokens
PocketID-->>AuthService: ID token with claims
AuthService->>AuthService: Decode ID token
AuthService->>AuthService: Check remnawaveClaim
alt remnawaveClaim exists
AuthService-->>Frontend: Success + JWT
else Check allowed emails
AuthService->>AuthService: Check if email in allowedEmails
alt email allowed
AuthService-->>Frontend: Success + JWT
else Check allowed groups
AuthService->>AuthService: Extract groups from claims
AuthService->>AuthService: Check if any group in allowedGroups
alt group allowed
AuthService-->>Frontend: Success + JWT
else No match
AuthService-->>Frontend: Forbidden
end
end
end
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Description
This PR add support for OIDC Group verification during the authentication process for the PocketID provider.
Currently, access is restricted to users whose emails are explicitly listed in the panel or those who have a custom claim (remnawaveClaim). This change allows for a more standard OIDC flow by restricting access based on the
groupsclaim provided in the ID token.Frontend
Need to add new field + logic (what should be filled or field with mail/group) + I18N to support new fields.
Example configuration