mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-07-13 04:41:36 +00:00
Add configurable OIDC group-to-role mapping
Currently OIDC group-based role assignment only recognizes groups named 'admin', 'user', or 'guest' (case-insensitive), and denies login when a user's groups match none of them. This makes group-based roles unusable with identity providers whose group names differ, and offers no way to admit such users with a default role. Add two optional server settings: - authOpenIDAdminGroups: comma-separated group names mapped to the admin role, in addition to the built-in names. - authOpenIDGroupDefaultRole: role assigned when no group matches, instead of denying login. Both default to empty, preserving current behavior. Includes the auth settings UI fields, en-us strings, and unit tests for setUserGroup.
This commit is contained in:
parent
cbda0360aa
commit
d6cfdd3bec
5 changed files with 108 additions and 2 deletions
|
|
@ -497,9 +497,11 @@
|
|||
"LabelNumberOfBooks": "Number of Books",
|
||||
"LabelNumberOfChapters": "Number of chapters:",
|
||||
"LabelNumberOfEpisodes": "# of Episodes",
|
||||
"LabelOpenIDAdminGroupsDescription": "Comma-separated list of group names from the group claim that should be mapped to the <code>admin</code> role, in addition to the built-in case-insensitive 'admin', 'user', and 'guest' names. Use this when your identity provider's groups are not named to match the application's roles.",
|
||||
"LabelOpenIDAdvancedPermsClaimDescription": "Name of the OpenID claim that contains advanced permissions for user actions within the application which will apply to non-admin roles (<b>if configured</b>). If the claim is missing from the response, access to ABS will be denied. If a single option is missing, it will be treated as <code>false</code>. Ensure the identity provider's claim matches the expected structure:",
|
||||
"LabelOpenIDClaims": "Leave the following options empty to disable advanced group and permissions assignment, automatically assigning 'User' group then.",
|
||||
"LabelOpenIDGroupClaimDescription": "Name of the OpenID claim that contains a list of the user's groups. Commonly referred to as <code>groups</code>. <b>If configured</b>, the application will automatically assign roles based on the user's group memberships, provided that these groups are named case-insensitively 'admin', 'user', or 'guest' in the claim. The claim should contain a list, and if a user belongs to multiple groups, the application will assign the role corresponding to the highest level of access. If no group matches, access will be denied.",
|
||||
"LabelOpenIDGroupDefaultRoleDescription": "Role to assign when none of the user's groups match a known role (<code>admin</code>, <code>user</code>, <code>guest</code>, or an admin group above). Set to <code>user</code> or <code>guest</code> to admit such users with that role instead of denying access. Leave empty to deny access when no group matches.",
|
||||
"LabelOpenRSSFeed": "Open RSS Feed",
|
||||
"LabelOverwrite": "Overwrite",
|
||||
"LabelPaginationPageXOfY": "Page {0} of {1}",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue