Hello,
starting off with the documentation and the sentry-auth-github example we’ve build our custom SSO provider that works with our custom OAuth2 server.
On a fresh Sentry 9.1.1 installation I understand that it’s necessary to create a local superuser first (with sentry createuser), then log in as them to finally enable (configure) our custom SSO Provider under Settings > Auth. Once that’s done, all users are automatically prompted to login via SSO. Ideally we wouldn’t even want to create a local superuser first, but if I understand well from @zeeg (Google Auth configuration with Sentry 9 - #7 by zeeg), that’s not possible:
Please correct me if I’m wrong!
Now, to my main questions. In the user data we get from our OAuth2 API, each user has a list of groups they belong to. We want to configure our custom SSO provider such that:
- Unless a user belongs to some specific groups, they are denied access to Sentry.
- If a user belongs to some specific groups, they are automatically given admin rights on Sentry.
1 seems to be easy. We have an instance of FetchUser in our Provider pipeline (same as sentry-auth-github) and in there (in handle) we check if the user belongs to at least one of the specified groups. If not we return helper.error('Permission denied').
2 seems to be much less easy. All the creation and handling of users takes place in AuthHelper . Specifically handle_new_user to create new users and handle_new_membership to assign them a role (and so on for other cases, like confirming and merging and matching etc). In order for us to customise this process (for example, assign the admin role to selected users based on their groups, set our OAuth2 API-based username instead of uuid4().hex etc) we probably need to override the respective methods in AuthHelper. AuthHelper is instantiated in auth_provider_login.py and gets passed into our Provider Pipeline via current_step, then dispatch and then finally handle which we override in our FetchUser (the one mentioned in 1). I can’t see a way to customise AuthHelper and include it in our custom SSO Provider, at least not by looking at the sentry-auth-github example.
Do you have any recommendations on how to do that? Or maybe there is another (better) way to achieve that?
Thank you for reading through and I hope it all makes sense 