Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable JWT group-based user authorization #1368

Merged
merged 3 commits into from
Dec 11, 2023
Merged

Enable JWT group-based user authorization #1368

merged 3 commits into from
Dec 11, 2023

Conversation

bcmmbaga
Copy link
Contributor

@bcmmbaga bcmmbaga commented Dec 8, 2023
edited
Loading

Describe your changes

  • Extend the update account endpoint /api/accounts/{accountId} to accommodate the introduction of a new optional field, jwt_allow_groups. This field enables the specification of groups whose members are permitted access to Netbird when utilizing JWT Group Propagation.
curl -X PUT http://localhost:33073/api/accounts/<ACCOUNT_ID> \
-H 'Accept: application/json' \
-H 'Authorization: Token <PAT>' \
-d '{
	"settings": {
		"groups_propagation_enabled": true,
		"jwt_allow_groups": [
			"NetBird", "Admins"
		],
		"jwt_groups_claim_name": "groups",
		"jwt_groups_enabled": true,
		"peer_login_expiration": 86400,
		"peer_login_expiration_enabled": true
	}
}'
  • Add user group-based authorization. This implementation checks for JWT group propagation and jwt_allow_groups settings. Users attempting authentication without membership in the specified group list will have their authentication rejected. Additionally, if no allow groups are set, all users will be authenticated seamlessly.

Issue ticket number and link

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

@bcmmbaga
Extend management API to support list of allowed JWT groups (#1366)
eb05099 
* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test
@bcmmbaga
Add JWT group-based user authorization (#1373)
924abb5 
* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test

* Implement user access validation authentication based on JWT groups

* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version

* Refactor auth middleware and test for extracted claim handling
@bcmmbaga
Optimize JWT group check in auth middleware to cover nil and empty al…
2bb0e04 
…lowed groups
@bcmmbaga bcmmbaga changed the title Enable configuration of permitted JWT groups for access Enable JWT group-based user authorization Dec 11, 2023
@bcmmbaga bcmmbaga marked this pull request as ready for review December 11, 2023 15:04
@bcmmbaga bcmmbaga merged commit d275d41 into main Dec 11, 2023
14 checks passed
@bcmmbaga bcmmbaga deleted the allow-jwt-groups branch December 11, 2023 15:59
pulsastrix pushed a commit to pulsastrix/netbird that referenced this pull request Dec 24, 2023
@bcmmbaga
Enable JWT group-based user authorization (netbirdio#1368)
4cbd164 
* Extend management API to support list of allowed JWT groups (netbirdio#1366)

* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test

* Add JWT group-based user authorization (netbirdio#1373)

* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test

* Implement user access validation authentication based on JWT groups

* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version

* Refactor auth middleware and test for extracted claim handling

* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
Foosec pushed a commit to Foosec/netbird that referenced this pull request May 8, 2024
@bcmmbaga
Enable JWT group-based user authorization (netbirdio#1368)
b7a359a 
* Extend management API to support list of allowed JWT groups (netbirdio#1366)

* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test

* Add JWT group-based user authorization (netbirdio#1373)

* Add JWTAllowGroups settings to account management

* Return an empty group list if jwt allow groups is not set

* Add JwtAllowGroups to account settings in handler test

* Implement user access validation authentication based on JWT groups

* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version

* Refactor auth middleware and test for extracted claim handling

* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlsmaycon mlsmaycon mlsmaycon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bcmmbaga @mlsmaycon