Support for <RequireAll> sections in ood_portal.yml auth: block

kilian · October 17, 2023, 12:52am

Hi!

I was wondering if generating <RequireAll> sections was something that is currently supported (or planned) in the OOD portal generator.

Right now, the auth: section takes things like:

auth:
  - "AuthType openid-connect"
  - "Require claim group:foo"

and transforms them in the following Apache configuration block:

  <Location "/oidc">
    AuthType openid-connect
    Require claim group:foo
  </Location>

But in some configurations, it may be necessary to check and require multiple claims, and make sure they’re all satisfied, using the <RequireAll> directive. For instance, to check that users are members of multiple groups, like this:

<Location "/oidc"> 
  <RequireAll>
    AuthType openid-connect 
    Require claim group:foo
    Require claim group:bar
  </RequireAll>    
</Location>

Is that something that the OOD portal generator can do?

Thanks!

tdockendorf · October 17, 2023, 11:21am

The logic for the auth lines is to iterate over the items in auth and write them out: https://github.com/OSC/ondemand/blob/c2aa53db187b90f67d1ec179af853d144f5e64c9/ood-portal-generator/templates/ood-portal.conf.erb#L218-L220

This should give you the desired result:

auth:
  - '<RequireAll>'
  - '  AuthType openid-connect',
  - '  ...etc...'
  - '</RequireAll>'

kilian · October 17, 2023, 3:03pm

Ah but of course, thanks for pointing this out.
This works great, thank you!

Topic		Replies	Views
Initial setup - always forced to need_auth page Get Help	9	57	October 10, 2024
Getting started, after initial OOD installations Get Help	14	648	October 4, 2023
LDAP authentication with TLS using ood_portal.yml Get Help	3	1444	May 26, 2022
Update_ood_portal Not working as expected in ODD 3 Get Help	7	393	February 11, 2024
"/opt/ood/ood_auth_map/bin/ood_auth_map.regex" doesn't exist Get Help	2	689	April 17, 2022

Support for <RequireAll> sections in ood_portal.yml auth: block

Related topics