Due to the ORY Kratos claims which has no group/groups, and as
discussed regarding mapping idp groups to Claims.Team which is string
type, Added idpGroup to kratos trait which is also string type. Both
Identity idpGroup and Claim.Team can be mapped without fail in mapper
config.
The following could be used as an optimisation when we are filtering
just by user, but decided to omit as of now.
```
usrs, err = dao.ListFilteredUsersWithGroup(ctx, s.db,
[]uuid.UUID{}, groupId, queryOptions.Q, queryOptions.Type,
queryOptions.OrderBy, queryOptions.Order,
int(queryOptions.Limit), int(queryOptions.Offset))
```
- Returns client secret on GET request, so that when UI made
modification to OIdC provider, it should be able to send back the
client secret to PUT request.
- Fix issuer url validation when udpate.
The idp_groups is list of groups IdP user belongs to that is returning
in the OIdC providers token response. The flow of Idp Group mapping is
as follows:
OIdC Provider (OP) return custom claim with groups in a token when
authentication event
|
The value of custom claim is mapped to `idp_groups` of identity
traint using JsonNet mapper.
|
On inserting/updating/deleting `identities` table, Postgresql
sends a pg_notification with
`PG_OPERATION,IDENTITY_ID,IDENTITY_TRAIN` as a payload.
|
The `pkg/service/user.UserService.UpdateIdpUserGroupPolicy` update
the casbin policies for each notification based on payload received.
When we soft delete oidc provider entry which we are doing for delete
provider API endpoint, we cannot create new oidc provider entry with a
same name due to unique constraint violation on name. Applying unique
constraint to name,trash will allow to create new oidc provider entry
with a same name, but fail on deleting that entry because it violates
unique constraint. Hence this commit adds unique constraint
to (id,name) combined.
