On a fresh Sentry 9.1.1 installation I understand that it’s necessary to create a local superuser first (with
sentry createuser), then log in as them to finally enable (configure) our custom SSO Provider under Settings > Auth. Once that’s done, all users are automatically prompted to login via SSO. Ideally we wouldn’t even want to create a local superuser first, but if I understand well from @zeeg (Google Auth configuration with Sentry 9), that’s not possible:
Please correct me if I’m wrong!
Now, to my main questions. In the user data we get from our OAuth2 API, each user has a list of groups they belong to. We want to configure our custom SSO provider such that:
- Unless a user belongs to some specific groups, they are denied access to Sentry.
- If a user belongs to some specific groups, they are automatically given admin rights on Sentry.
1 seems to be easy. We have an instance of
FetchUser in our Provider pipeline (same as
sentry-auth-github) and in there (in
handle) we check if the user belongs to at least one of the specified groups. If not we
return helper.error('Permission denied').
2 seems to be much less easy. All the creation and handling of users takes place in
AuthHelper . Specifically
handle_new_user to create new users and
handle_new_membership to assign them a role (and so on for other cases, like confirming and merging and matching etc). In order for us to customise this process (for example, assign the admin role to selected users based on their groups, set our OAuth2 API-based username instead of
uuid4().hex etc) we probably need to override the respective methods in
AuthHelper is instantiated in
auth_provider_login.py and gets passed into our Provider Pipeline via
dispatch and then finally
handle which we override in our
FetchUser (the one mentioned in 1). I can’t see a way to customise
AuthHelper and include it in our custom SSO Provider, at least not by looking at the sentry-auth-github example.
Do you have any recommendations on how to do that? Or maybe there is another (better) way to achieve that?
Thank you for reading through and I hope it all makes sense