Details
-
New Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
See https://jira.observium.org/browse/OBS-4335
We are migrating to remote auth (OIDC) due to several security reasons (and to enable SSO).
Authentication works all fine, but for the authorisation part we would like to have fine grained access, we want to assign user levels, roles, device or port permissions, ... for users provisioned after logged on, identically to how MySQL/RADIUS users are authenticated.
Not sure what is needed but first step would be to allow for a user insertion after authentication (cfr RADIUS), and then allow the permissions to be fetched from it (see function radius_auth_user_level)
We would use the SSO for customers as well so a user level of 1 is needed with a role assigned to each set of customers/departments.
Attachments
Activity
| Status | Original: Pending Response [ 10000 ] | New: In Review [ 10101 ] |
| Status | Original: Open [ 1 ] | New: Pending Response [ 10000 ] |
if you use radius auth, can you said me which auth method you use?
Probably I can add radius auth for php 8+, but without MS chap v1/v2..
This is unrelated with initial question, just I see that you use it for radius.
Also would be nice to have to get the user level or groups from a header as well.
mod_auth_openidc, for example, would allow custom claims to be passed on in a form of a claim header. Either the user level with a transform, or a groups claim (like auth_radius_groups), which is more common.
Hey Mike, I'll drop a message on discord as well, I'm not sure if it was clear