123 clarify expected access token configuration (#182)

* refactor: reworked OIDC roles to be more generic -> expects json path now as the token structure can differ

* refactor: reworked OIDC roles, update documentation and fix bug if user has no user role assigned

app/Entirety/.env.EXAMPLE

@@ -39,7 +39,7 @@ OIDC_SUPER_ADMIN_ROLE=super_admin
 OIDC_SERVER_ADMIN_ROLE=server_admin
 OIDC_PROJECT_ADMIN_ROLE=project_admin
 OIDC_USER_ROLE=user
-OIDC_TOKEN_ROLE_FIELD=roles
+OIDC_TOKEN_ROLE_PATH="$.entirety.roles"
 
 # FIWARE
 CB_URL=http://localhost:1026

app/Entirety/entirety/oidc.py

@@ -2,6 +2,7 @@
 
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 from django.conf import settings
+from jsonpath_ng import parse
 
 logger = logging.getLogger(__name__)
 
@@ -16,12 +17,12 @@ def update_user(self, user, claims):
         return self.__set_user_values(user, claims)
 
     def __set_user_values(self, user, claims):
-        logger.info(
-            user.first_name
-            + " is accessing with roles "
-            + claims.get("roles").__str__()
-        )
-        roles = claims.get("roles", [])
+
+        path = settings.OIDC_TOKEN_ROLE_PATH
+        parsed_result = parse(path).find(
+            claims)
+        if len(parsed_result) > 0:
+            roles = parsed_result[0].value
 
         user.first_name = claims.get("given_name", "")
         user.last_name = claims.get("family_name", "")
@@ -37,12 +38,23 @@ def __set_user_values(self, user, claims):
 
         user.save()
 
+        logger.info(
+            user.first_name
+            + " is accessing with roles "
+            + roles.__str__()
+        )
         return user
 
     def verify_claims(self, claims):
         logger.info(claims.get("given_name") + " is verifying claim")
         verified = super(CustomOIDCAB, self).verify_claims(claims)
-        is_user = settings.OIDC_USER_ROLE in claims.get(
-            settings.OIDC_TOKEN_ROLE_FIELD, []
-        )
+        path = settings.OIDC_TOKEN_ROLE_PATH
+        parsed_result = parse(path).find(
+            claims)
+        if len(parsed_result) > 0:
+            value = parsed_result[0].value
+        else:
+            value = []
+        is_user = settings.OIDC_USER_ROLE in value
+
         return verified and is_user

app/Entirety/entirety/settings.py

@@ -360,7 +360,7 @@ def secret_key_not_empty(cls, v) -> str:
             default="project_admin", env="OIDC_PROJECT_ADMIN_ROLE"
         )
         OIDC_USER_ROLE: str = Field(default="user", env="OIDC_USER_ROLE")
-        OIDC_TOKEN_ROLE_FIELD: str = Field(default="roles", env="OIDC_TOKEN_ROLE_FIELD")
+        OIDC_TOKEN_ROLE_PATH: str = Field(default="$.entirety.roles", env="OIDC_TOKEN_ROLE_PATH")
 
     # Internationalization
     # https://docs.djangoproject.com/en/4.0/topics/i18n/

app/Entirety/projects/forms.py

@@ -28,7 +28,7 @@ def __init__(self, user, *args, **kwargs):
         self.fields["owner"].widget.attrs["data-bs-placement"] = "left"
         self.fields["owner"].widget.attrs[
             "title"
-        ] = "Owner is assigned automatically on project creation. It can only be updated by admin."
+        ] = "The owner is assigned automatically on project creation. It can only be updated by a server admin."
 
         self.fields["users"].widget = forms.CheckboxSelectMultiple(
             attrs={

docs/SETTINGS.md

@@ -213,11 +213,11 @@ Server admins can create/update projects for any project admin.
 >
 > *default:* super_admin
 
-### OIDC_TOKEN_ROLE_FIELD
+### OIDC_TOKEN_ROLE_PATH
 
-> *description:* Field in ID token that represents user roles.
+> *description:* Path in ID token that represents user roles. Each level is seperated by a "."; mind the leading ".". Further information on how to include the roles in the token, please, refer to our [deployment guide](https://github.com/N5GEH/n5geh.tutorials.entirety_step_by_step/blob/main/README.md#configure-oidc-provider-oidc-auth-only)
 >
-> *default:* roles
+> *default:* $.entirety.roles
 
 ### OIDC_USER_ROLE