feat(authz): introduce conditional access control via CEL (#4040)

2026-06-18 05:28:07 +08:00 · 2026-05-09 20:43:00 +01:00
parent ddb6279a25
commit 8a6674f198
15 changed files with 1636 additions and 85 deletions
@@ -602,24 +602,20 @@ func bearerAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
 			}

 			// Try OIDC authentication first if configured
-			var identity string
-
-			var groups []string
-
 			if oidcAuthorizer != nil {
-				var err error
-
-				var authenticated bool
-
-				identity, groups, authenticated, err = oidcAuthorizer.AuthenticateRequest(request.Context(), header)
-				if err == nil && authenticated {
+				res, err := oidcAuthorizer.Authenticate(request.Context(), header)
+				if err == nil && res != nil && res.Username != "" {
 					// OIDC authentication succeeded
+					identity := res.Username
+					groups := res.Groups
+
 					ctlr.Log.Debug().Str("identity", identity).Msg("the OIDC bearer authentication was successful")

 					// Set user context for authorization
 					userAc := reqCtx.NewUserAccessControl()
 					userAc.SetUsername(identity)
 					userAc.AddGroups(groups)
+					userAc.SetClaims(res.Claims)
 					userAc.SaveOnRequest(request)

 					// Update user groups in MetaDB if available