Add support for admin assignment via group/role claims (#965)#966
Add support for admin assignment via group/role claims (#965)#966smartcoder0777 wants to merge 4 commits intothedevs-network:mainfrom
Conversation
|
Here is a video of implemented feature. |
|
Hi everybody, |
jgoedeke
left a comment
jgoedeke
left a comment
There was a problem hiding this comment.
I will test the changes later and report back
Removed comments related to OIDC role and admin group configuration.
|
After merging this PR, I'd like to start another issue. If there is any issue that needs contribution in your mind, please let me know. Thanks. |
|
I tried to run this changes but it seems not to work properly. Did you test it? I checked my JWT in another application and I have see groups in the claims: The following env vars are present: When starting the application I see I remove my user via the admin user. When I log in again with normal user it is still no admin. I see no logs further logs. |
Bug: Admin role assignment wasn't working because custom claims like 'groups' are typically in the ID token, not the userinfo endpoint response. Fix: Check tokenset.claims() first, then fall back to userinfo. This ensures we can read group/role claims from either source. Added debug logging in development mode to help troubleshoot claim issues.
|
@jgoedeke nice catch! |
|
Now it works. Looks good from my side. Thanks for the effort! @poeti8 can you check the changes? |
|
Hi @poeti8 can you review the PR? |
|
Can anybody check and merge my PR, please? |
|
Hey @smartcoder0777, just a small reminder: this is a small open‑source project, and the maintainers aren’t expected to be active every day. Please try not to be too pushy with follow‑ups. Things get reviewed when people have time, and a bit of patience really helps keep the project healthy and enjoyable for everyone. Thanks for understanding! |
I got it. Thanks. I will look forward. |
|
Just wanted to ask if this had been merged since it's been a couple of weeks. I'm currently dealing with difficulty getting my self-hosted kutt based on the docker kutt/kutt:main branch to recognize admin_emails - also looking at the example env files it doesn't look like admin_emails exists anywhere? |
|
@jschurawlow Its not merged yet though, it was approved. I look forward the maintainer's merge now. |
|
Hello, |
4 participants
Fixes: #965
Summary
Implements automatic admin role assignment based on OIDC identity provider group or role claims, allowing organizations to manage Kutt admin privileges through their existing IdP.
OIDC_ROLE_CLAIMandOIDC_ADMIN_GROUPenvironment variablesChanges
New Environment Variables
OIDC_ROLE_CLAIM- Claim name containing user roles/groups (default:roles)OIDC_ADMIN_GROUP- Group or role value that grants admin privileges (optional)Technical Implementation
server/passport.jswith role checking logicenv.isDevwith directNODE_ENVchecks to avoid envalid mutation errors.example.envwith documentation for new OIDC admin configurationSupported Identity Providers
Configuration Example
OIDC_ENABLED=true
OIDC_ISSUER=https://your-idp.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_SCOPE=openid profile email
OIDC_EMAIL_CLAIM=email
OIDC_ROLE_CLAIM=roles
OIDC_ADMIN_GROUP=admin
Contribution by Gittensor, see my contribution statistics at https://gittensor.io/miners/details?githubId=191128130