Tobias Gross-Vogt · 48af0bd8 · 48af0bd8 · 48af0bd8 · 48af0bd8 · 48af0bd8
--- a/composer.lock
+++ b/composer.lock
@@ -229,11 +229,11 @@
        },
        {
            "name": "dbp/relay-core-bundle",
-            "version": "v0.1.55",
+            "version": "v0.1.60",
            "source": {
                "type": "git",
                "url": "https://gitlab.tugraz.at/dbp/relay/dbp-relay-core-bundle",
-                "reference": "b1d1eaa5e9efc58a09e6176215c243041df168f3"
+                "reference": "93b24a94a428ac21c8ef0262ebea3c1bf7a7823d"
            },
            "require": {
                "api-platform/core": "^2.6.8 <2.7.0",
@@ -297,7 +297,7 @@
                "AGPL-3.0-or-later"
            ],
            "description": "The core bundle of the Relay API gateway",
-            "time": "2022-11-10T10:15:38+00:00"
+            "time": "2022-11-16T10:38:53+00:00"
        },
        {
            "name": "doctrine/annotations",
@@ -10416,5 +10416,5 @@
    "platform-overrides": {
        "php": "7.3"
    },
-    "plugin-api-version": "2.3.0"
+    "plugin-api-version": "2.2.0"
 }
--- a/src/DependencyInjection/Configuration.php
+++ b/src/DependencyInjection/Configuration.php
@@ -9,6 +9,10 @@ use Symfony\Component\Config\Definition\ConfigurationInterface;

 class Configuration implements ConfigurationInterface
 {
+    public const NAME_ATTRIBUTE = 'name';
+    public const SCOPE_ATTRIBUTE = 'scope';
+    public const ATTRIBUTES_ATTRIBUTE = 'authorization_attributes';
+
    public function getConfigTreeBuilder(): TreeBuilder
    {
        $treeBuilder = new TreeBuilder('dbp_relay_auth');
@@ -68,6 +72,15 @@ class Configuration implements ConfigurationInterface
                    ->info('The ID for the keycloak client (authorization code flow) used for API docs or similar')
                    ->example('client-docs')
                ->end()
+                ->arrayNode(self::ATTRIBUTES_ATTRIBUTE)
+                    ->info('The authorization attributes that are available for users and derived from OIDC token scopes')
+                    ->arrayPrototype()
+                        ->children()
+                            ->scalarNode(self::NAME_ATTRIBUTE)->end()
+                            ->scalarNode(self::SCOPE_ATTRIBUTE)->end()
+                        ->end()
+                    ->end()
+                ->end()
            ->end();

        return $treeBuilder;

--- a/src/DependencyInjection/DbpRelayAuthExtension.php
+++ b/src/DependencyInjection/DbpRelayAuthExtension.php
@@ -6,6 +6,7 @@ namespace Dbp\Relay\AuthBundle\DependencyInjection;

 use Dbp\Relay\AuthBundle\Authenticator\BearerUserProvider;
 use Dbp\Relay\AuthBundle\OIDC\OIDProvider;
+use Dbp\Relay\AuthBundle\Service\AuthorizationDataProvider;
 use Symfony\Component\Cache\Adapter\FilesystemAdapter;
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
@@ -33,6 +34,9 @@ class DbpRelayAuthExtension extends ConfigurableExtension implements PrependExte
        $definition = $container->getDefinition(OIDProvider::class);
        $definition->addMethodCall('setConfig', [$mergedConfig]);
        $definition->addMethodCall('setCache', [$cacheDef]);
+
+        $definition = $container->getDefinition(AuthorizationDataProvider::class);
+        $definition->addMethodCall('setConfig', [$mergedConfig]);
    }

    public function prepend(ContainerBuilder $container)

--- a/src/Resources/config/services.yaml
+++ b/src/Resources/config/services.yaml
@@ -34,3 +34,8 @@ services:

  Dbp\Relay\AuthBundle\API\UserRolesInterface:
    '@Dbp\Relay\AuthBundle\Service\DefaultUserRoles'
+
+  Dbp\Relay\AuthBundle\Service\AuthorizationDataProvider:
+    autowire: true
+    autoconfigure: true
+
--- a/src/Service/AuthorizationDataProvider.php
+++ b/src/Service/AuthorizationDataProvider.php
+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\AuthBundle\Service;
+
+use Dbp\Relay\AuthBundle\DependencyInjection\Configuration;
+use Dbp\Relay\CoreBundle\Authorization\AuthorizationDataProviderInterface;
+
+class AuthorizationDataProvider implements AuthorizationDataProviderInterface
+{
+    /** @var string[] */
+    private $attributeToScopeMap;
+
+    /** @var OIDCUserSessionProvider */
+    private $userSessionProvider;
+
+    public function __construct(OIDCUserSessionProvider $userSessionProvider)
+    {
+        $this->attributeToScopeMap = [];
+        $this->userSessionProvider = $userSessionProvider;
+    }
+
+    public function setConfig(array $config)
+    {
+        $this->loadAttributeToScopeMapFromConfig($config[Configuration::ATTRIBUTES_ATTRIBUTE]);
+    }
+
+    public function getAvailableAttributes(): array
+    {
+        return array_keys($this->attributeToScopeMap);
+    }
+
+    public function getUserAttributes(string $userIdentifier): array
+    {
+        $userScopes = $this->userSessionProvider->getScopes();
+        $userAttributes = [];
+        foreach ($this->attributeToScopeMap as $attribute => $scope) {
+            $userAttributes[$attribute] = in_array($scope, $userScopes, true);
+        }
+
+        return $userAttributes;
+    }
+
+    private function loadAttributeToScopeMapFromConfig(array $attributes)
+    {
+        foreach ($attributes as $attribute) {
+            $this->attributeToScopeMap[$attribute[Configuration::NAME_ATTRIBUTE]] = $attribute[Configuration::SCOPE_ATTRIBUTE];
+        }
+    }
+}
--- a/src/Service/OIDCUserSessionProvider.php
+++ b/src/Service/OIDCUserSessionProvider.php
@@ -54,6 +54,11 @@ class OIDCUserSessionProvider implements OIDCUserSessionProviderInterface
        $this->jwt = $jwt;
    }

+    public function getScopes(): array
+    {
+        return Tools::extractScopes($this->jwt ?? []);
+    }
+
    public function getSessionLoggingId(): string
    {
        $unknown = 'unknown';