Fix OIDC SCOPES (#180)

Co-authored-by: diegolamaral <diego.arruda.amaral@gmail.com>
2024-11-01 07:42:48 -01:00 · 2024-11-01 07:42:48 -01:00 · ce805b58a3
parent 2ec117ccbb
commit ce805b58a3
2 changed files with 17 additions and 2 deletions
--- a/core/files/configure_misp.sh
+++ b/core/files/configure_misp.sh
@ -97,11 +97,21 @@ set_up_oidc() {
                \"client_secret\": \"${OIDC_CLIENT_SECRET}\",
                \"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
                \"role_mapper\": ${OIDC_ROLES_MAPPING},
-                \"default_org\": \"${OIDC_DEFAULT_ORG}\",
-                \"scopes\": ${OIDC_SCOPES}
+                \"default_org\": \"${OIDC_DEFAULT_ORG}\"
            }
        }" > /dev/null

+        # Check if OIDC_SCOPES is set and not empty
+        if [[ -n "$OIDC_SCOPES" ]]; then
+            # Run the modify_config.php script to update OidcAuth configuration with the provided OIDC_SCOPES
+            # The 'scopes' field will only be added if OIDC_SCOPES has a value
+            sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+                \"OidcAuth\": {
+                    ${OIDC_SCOPES:+\"scopes\": \"${OIDC_SCOPES}\"}
+                }
+            }" > /dev/null
+        fi
+
        # Set the custom logout URL for OIDC if it is defined
        if [[ -n "${OIDC_LOGOUT_URL}" ]]; then
            sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.CustomAuth_custom_logout" "${OIDC_LOGOUT_URL}&post_logout_redirect_uri=${BASE_URL}/users/login"
@ -128,6 +138,10 @@ set_up_oidc() {
            }
        }" > /dev/null

+        # Remove the line containing 'scopes' => from config.php
+        # This prevents an empty scopes entry from being loaded in the configuration.
+        sudo -u www-data sed -i "/'scopes' =>/d" /var/www/MISP/app/Config/config.php
+
        # Use sed to remove the OidcAuth.Oidc entry from the 'auth' array in the config.php
        sudo -u www-data sed -i "/'auth' =>/,/)/ { /0 => 'OidcAuth.Oidc',/d; }" /var/www/MISP/app/Config/config.php

--- a/template.env
+++ b/template.env
@ -123,6 +123,7 @@ SYNCSERVERS_1_PULL_RULES=
 # OIDC_ROLES_MAPPING="{\"admin\": \"1\"}"
 # OIDC_DEFAULT_ORG=
 # OIDC_LOGOUT_URL=
+# OIDC_SCOPES=

 # Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189
 # NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component,