Skip to content

feat(auth): add Generic OIDC group-to-team mapping for SSO (#2120)#3695

Open
hughhennelly wants to merge 1 commit intoIBM:mainfrom
hughhennelly:feature/issue-2120-generic-oidc-group-mapping
Open

feat(auth): add Generic OIDC group-to-team mapping for SSO (#2120)#3695
hughhennelly wants to merge 1 commit intoIBM:mainfrom
hughhennelly:feature/issue-2120-generic-oidc-group-mapping

Conversation

@hughhennelly
Copy link
Copy Markdown

@hughhennelly hughhennelly commented Mar 16, 2026

Related Issue

Closes #2120

Summary

Implements Generic OIDC group-to-team mapping for SSO authentication, following the pattern established by EntraID role mapping in PR #2129.

What's included:

  • Config Settings: 5 new SSO_GENERIC_* environment variables (groups_claim, admin_groups, role_mappings, default_role, sync_roles_on_login)

  • Bootstrap Support: Generic OIDC provider now includes provider_metadata with group mapping configuration

  • Group Extraction: Updated _normalize_user_info to extract groups from configurable claims for generic OIDC providers

  • Admin Group Mapping: Generic OIDC admin group support in _should_user_be_admin (case-insensitive matching)

  • Role Mapping: Generic OIDC support in _map_groups_to_roles with early exit when no mappings configured

  • Tests: 14 unit tests covering group extraction, admin assignment, role mapping, and sync opt-out

  • Existing Test Fix: Updated mock settings in test_sso_bootstrap.py to include new sso_generic_* attributes

Security

  • Default role is None — no automatic admin access for Generic OIDC users
  • Admin privileges only granted via explicit SSO_GENERIC_ADMIN_GROUPS configuration
  • sync_roles flag allows provider-level control over role synchronization

No migration needed

The provider_metadata column already exists from PR #2129.

All lint checks (black, isort, ruff, flake8, interrogate) pass.

@hughhennelly
feat(auth): add Generic OIDC group-to-team mapping for SSO (IBM#2120)
1ff497e 
Signed-off-by: hughhennnelly <hughhennelly06@gmail.com>
@crivetimihai crivetimihai mentioned this pull request Mar 20, 2026
Merged
@crivetimihai crivetimihai added the enhancement New feature or request label Mar 20, 2026
@crivetimihai crivetimihai added this to the Release 1.0.0 milestone Mar 20, 2026
@crivetimihai crivetimihai added SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release security Improves security rbac Role-based Access Control labels Mar 20, 2026
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Mar 20, 2026

Thanks @hughhennelly. Solid implementation following the EntraID pattern from #2129. Good test coverage (14 tests). Two notes: (1) this PR modifies .gitignore and .gitlab-ci.yml — please check if those changes are intentional, (2) overlaps with #3719 and #3597 on OIDC group extraction — we'll coordinate merge order.

lucarlig
lucarlig requested changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lucarlig lucarlig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. In mcpgateway/services/sso_service.py, the new generic OIDC normalization path always includes email_verified: user_data.get("email_verified"). When the IdP omits that claim, it becomes None, and _is_email_verified_claim() treats the now-present non-truthy value as unverified. That means generic OIDC logins can be rejected for providers that do not send email_verified.

  2. The same generic normalization path reimplements group extraction and only accepts list-valued claims. The existing helper handled scalar strings too. If an IdP returns a single groups/roles string, group-derived admin promotion and RBAC mapping are silently skipped.

  3. .gitlab-ci.yml looks unrelated to this feature and should probably be dropped from the PR.

The new generic bootstrap/config wiring looks reasonable overall, but I’d fix the auth regressions and trim the unrelated CI file before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucarlig lucarlig lucarlig requested changes

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request rbac Role-based Access Control security Improves security SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release

Projects

None yet

Milestone

Release 1.0.0-RC3

Development

Successfully merging this pull request may close these issues.

[FEATURE][AUTH]: Generic OIDC group to team mapping for SSO

3 participants

@hughhennelly @crivetimihai @lucarlig