41 lines
1.3 KiB
JavaScript
41 lines
1.3 KiB
JavaScript
// Central claim mapper: a Saltcorn user -> OIDC claims, gated by granted scopes.
|
|
// This is the single place identity is rendered for relying parties; the LDAP
|
|
// and SAML renderers in later phases reuse the same group/identity source.
|
|
|
|
const groups = require("./groups");
|
|
|
|
|
|
const oidcClaims = async (user, sub, grantedScopes) => {
|
|
const scopes = String(grantedScopes || "").split(" ").filter(Boolean);
|
|
const out = { sub: sub };
|
|
if (scopes.includes("email")) {
|
|
out.email = user.email;
|
|
out.email_verified = !!user.verified_on;
|
|
}
|
|
if (scopes.includes("profile")) {
|
|
out.name = (user._attributes && user._attributes.name) || user.email;
|
|
}
|
|
if (scopes.includes("groups")) {
|
|
out.groups = await groups.effectiveGroups(user);
|
|
}
|
|
return out;
|
|
};
|
|
|
|
|
|
// SAML AttributeStatement values for a user: email + groups. Groups is the
|
|
// effective-groups ARRAY (one <saml:AttributeValue> per element is emitted by
|
|
// the renderer, matching the OIDC/LDAP array form). Reuses the same
|
|
// effectiveGroups source as OIDC.
|
|
const samlAttributes = async (user) => {
|
|
const effective = await groups.effectiveGroups(user);
|
|
return {
|
|
email: user.email,
|
|
groups: effective
|
|
};
|
|
};
|
|
|
|
|
|
module.exports = {
|
|
oidcClaims,
|
|
samlAttributes
|
|
};
|