Hello,
I have configured ood to authenticate users with OpenID Connect. When a user logs in (or perhaps when their PUN server is started), I would like to be able to:
- Run an arbitrary initialization script
- Access claims returned by the OpenID Connect Identity Provider
Is there some sort of hook that would allow me to run an arbitrary script when a user logs on? Is the data returned when a user is authenticated available to me somewhere? Is there some other solution that will help me achieve my two goals?
I’ve looked through the nginx stage configuration, but did not see anything that would help me. I also know that it is possible to setup a script that maps remote authenticated usernames to local usernames. So, in theory, this script could perform actions other than mapping usernames, but that seems like an abuse of the trigger and it also gets triggered on every HTTP request sent to the OnDemand portal, not just when a user authenticates.
As for accessing claims, it seems to imply in the examples of “Setup User Mapping” that you should be able to access a claim like preferred_username via the environment variable “OIDC_CLAIM_preferred_username”. Is this a valid approach and is there more documentation on getting claims from environment variables somewhere?
nginx stage configuration: https://osc.github.io/ood-documentation/master/infrastructure/nginx-stage/configuration.html
user mapping: https://osc.github.io/ood-documentation/master/authentication/overview/map-user.html
Thanks in advance.
Hi! Welcome! I apologize for the delay - this seemed to slip my mind.
- I think you’re right. You could use the usermap_regex script and completely expand on what it’s supposed to be doing, though I would not advise it and you may not have the right user environment (it may be executed as the
apache user? and not with the environment you’d expect. I mean not any transaction specific context)
- Yes you can access them (see the documentation and note below). I guess the question is how and when you want to access them. They exist within apache during that request and you can probably access them in some lua script.
Here’s the oidc documentation that I always look up when dealing with it. (For example I’ve used RequestHeader set OIDC-access-token %{oidc_access_token}e to set the request header from the environment variable before.)
Can you let us know what you’re trying to achieve? We have several things we want to do that may align with what you’re trying to do so there may be some synergy in either effort, design or overall goals.
Anyway, I think for sure you’re use case would give us some perspective on ours.
Thanks for the reply and links, @jeff.ohrstrom . I am trying to mount user specific storage when the user logs in. As a workaround, I found that there is a configuration option to specify what command is run when a PUN is started. So, I changed “nginx_bin” in /opt/ood/nginx_stage/lib/nginx_stage/configuration.rb to point to a script that I wrote which first mounts the storage and then launches the PUN.
Oh OK! Yea I think that’ll work too.
If you’re looking to mount things why not autofs? We use it with a lot of success.