Code-review follow-ups: policy, docs, seed_admin behaviour
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk. - seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test. - Fix DE translation for 'access this page'; add get? true comment in User.
This commit is contained in:
parent
d573a22769
commit
c5f1fdce0a
7 changed files with 51 additions and 19 deletions
|
|
@ -10,6 +10,16 @@ defmodule Mv.OidcRoleSync do
|
|||
the access_token from oauth_tokens is decoded as JWT and the groups claim is
|
||||
read from there (e.g. Rauthy puts groups in the access token when scope
|
||||
includes "groups").
|
||||
|
||||
## JWT access token (security)
|
||||
|
||||
The access_token payload is read without signature verification (peek only).
|
||||
We rely on the fact that `oauth_tokens` is only ever passed from the
|
||||
verified OIDC callback (Assent/AshAuthentication after provider token
|
||||
exchange). If callers passed untrusted or tampered tokens, group claims
|
||||
could be forged and a user could be assigned the Admin role. Therefore:
|
||||
do not call this module with user-supplied tokens; it is intended only
|
||||
for the internal flow from the OIDC callback.
|
||||
"""
|
||||
alias Mv.Accounts.User
|
||||
alias Mv.Authorization.Role
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue