Support for <RequireAll> sections in ood_portal.yml auth: block

kilian · October 17, 2023, 12:52am

Hi!

I was wondering if generating <RequireAll> sections was something that is currently supported (or planned) in the OOD portal generator.

Right now, the auth: section takes things like:

auth:
  - "AuthType openid-connect"
  - "Require claim group:foo"

and transforms them in the following Apache configuration block:

  <Location "/oidc">
    AuthType openid-connect
    Require claim group:foo
  </Location>

But in some configurations, it may be necessary to check and require multiple claims, and make sure they’re all satisfied, using the <RequireAll> directive. For instance, to check that users are members of multiple groups, like this:

<Location "/oidc"> 
  <RequireAll>
    AuthType openid-connect 
    Require claim group:foo
    Require claim group:bar
  </RequireAll>    
</Location>

Is that something that the OOD portal generator can do?

Thanks!

tdockendorf · October 17, 2023, 11:21am

The logic for the auth lines is to iterate over the items in auth and write them out: https://github.com/OSC/ondemand/blob/c2aa53db187b90f67d1ec179af853d144f5e64c9/ood-portal-generator/templates/ood-portal.conf.erb#L218-L220

This should give you the desired result:

auth:
  - '<RequireAll>'
  - '  AuthType openid-connect',
  - '  ...etc...'
  - '</RequireAll>'

kilian · October 17, 2023, 3:03pm

Ah but of course, thanks for pointing this out.
This works great, thank you!

Topic		Replies	Views
Getting started, after initial OOD installations Get Help	14	582	October 4, 2023
LDAP authentication with TLS using ood_portal.yml Get Help	3	1372	May 26, 2022
Update_ood_portal Not working as expected in ODD 3 Get Help	7	233	February 11, 2024
"/opt/ood/ood_auth_map/bin/ood_auth_map.regex" doesn't exist Get Help	2	603	April 17, 2022
Options for user registration Feature Requests and Roadmap Discussion	11	3128	May 26, 2022

Support for <RequireAll> sections in ood_portal.yml auth: block

Related Topics